Cybersecurity

New cyber framework draft sharpens focus on implementation

world map

After a nearly two-week delay caused by the government shutdown, the National Institute of Standards and Technology released the latest version of its cybersecurity framework on Oct. 22, and it aims to better secure U.S. companies and government agencies.

The new draft, originally slated for an Oct. 10 release, goes into significantly greater detail than the version released Aug. 28, which laid out the framework's core, implementation tiers and profile. Those three central pillars are designed to provide industry and government with a common cybersecurity taxonomy, establish goals and targets, identify and prioritize opportunities for improvement, assess progress and improve communication among stakeholders.

In the latest draft, there is sharpened and expanded focus on specific areas, including implementation logistics, privacy and civil liberties. Furthermore, the cybersecurity workforce has been added as an area in particular need of improvement.

During a call with reporters on Oct. 22, NIST Director Patrick Gallagher said areas that saw the most change between the two drafts were identified in discussions with industry, government and academia, especially those stemming from the most recent public meeting held in Dallas in September.

"The real focus following the last workshop in Dallas until now had to do with clarifications, expanded sections, and privacy and civil liberties considerations," Gallagher said. "There was always that requirement in the executive order, and I think there was a real focus in Dallas to bring that section out. There's additional guidance in the framework on how to use it -- some structural issues in how to think about the tiers and how to crosswalk between certain functional areas and practices. So a lot [of changes are] around usability and the methodology and practices surrounding civil liberties."

Another change in the new draft is the inclusion of the cybersecurity workforce as a key area for improvement, an issue that was not mentioned in the previous draft.

"While it is widely known that there is a shortage of general cybersecurity experts, there is also a shortage of qualified cybersecurity experts with an understanding of the specific challenges posed to critical infrastructure," the latest draft states. "As the critical infrastructure threat and technology landscape evolves, the cybersecurity workforce must continue to adapt to design, develop, implement, maintain and continuously improve the necessary practices within critical infrastructure environments."

The idea of continued evolution in the document and the conversations surrounding it is a theme in the cybersecurity framework -- something that officials have stressed over the course of the year and that will continue to be a priority, Gallagher said.

For example, conformity and how it will be measured is still very much an evolving subject, as is the governance structure. He said the public workshop in Raleigh, N.C., in November will include discussion of options for an industry-led governance structure in the framework.

"This is not a once-through -- we are not done," Gallagher said. "Cyber threats are going to continue to evolve, [and] cyber risk management has to therefore evolve with them. The framework must be a living document, allowing for continuous improvement as technology and threats change and as businesses mature. It must evolve to meet business needs in real time."

The final draft is due in February 2014, a year after President Barack Obama directed NIST to establish the guidelines.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.