The cyber framework: What's next

keyhole digital

A week after the White House's release of a comprehensive cybersecurity framework aimed at critical infrastructure, government leaders and industry experts are looking ahead to what comes next, with a focus on creating incentives and measuring success.

The National Institute of Standards and Technology embarked on a year-long process engaging stakeholders and developing the cyber framework, released on Feb. 12. Now federal agency leaders, owners and operators of critical infrastructure and executives at other organizations are figuring out what the framework means to them and how to implement its practices and methodology.

NIST officials continue to stress that the framework is just the first version of several to come, and that the collaborative process employed in the development of version 1.0 will continue, beginning in April with discussions on privacy. But for now, the focus is on implementation -- a process that NIST Director Patrick Gallagher hopes will reveal gaps in the framework.

"We deliberately created a pause in engagement ... for the very reason that I didn't want to get in the way of the adoption piece," Gallagher said Feb. 19 at the Brookings Institution in Washington. "I'm not expecting major revisions to the framework itself; the major impetus is going after gap areas and maturing the governance discussion. We should now start seriously ... setting up a governance scheme where many companies can work together to turn this into a routine process. We've had success with that in cloud sector and smart grid, and we'd like to continue it here as well."

Outside of government, the general response has been a sense of cautious optimism. But Larry Clinton, director of the Internet Security Alliance, pointed out the commercial cybersecurity looks different than national security, and this is just the beginning of efforts that will bridge the gap between the two.

"The framework is not answer to the cybersecurity problem, but it's a step in the right direction," Clinton said Feb. 19 in a webcast hosted by law firm Venable. "To put it in an Olympic context, this is the preliminaries and we still have to make it to the final rounds. And like in the Olympics, the competition gets tougher as you go along."

Many of the biggest questions about the framework center on familiar areas: the role of potential legislation and regulatory measures, incentivization and metrics for success.

"Now the focus shifts to adoption. There are no strong mechanisms for measuring adoption, that's yet to emerge," said Jamie Barnett, co-chair of Venable's telecommunications group and a partner in the firm's cybersecurity practice. "There's motivation to stave off regulatory action [and] questions over whether incentives are enough; legislation is still needed to provide the incentives necessary for widespread adoption."

Gallagher defended his agency's work, particularly against the notion that the framework is "toothless" because it relies on voluntary compliance, and that there's too much focus on NIST controls -- the agency's guidelines and security publications, which account for much of its influence in the field.

"If you think regulation is a result of market failure, this is your opportunity to make sure the market doesn't fail. The most powerful force driving adoption is companies themselves. This is not just what you do internally," Gallagher said, but the relationship with suppliers, customers and other parts of a sector. "The framework is not about controls. ... our CIOs are drowning in piles of controls to look at. What's unique about the framework from a government perspective is the management approach of how to run a department. It makes cost allocation, skill sets [and] hiring decisions just as much a part of cybersecurity as controls."

Gallagher said that the framework's success or failure will take time to determine, but there are ways to see its impact taking shape.

"I think of the success story as having two elements," he said. "One is near term; that's the adoption. Is this inevitable? We're struggling with the nuts-and-bolts issues ... and it's coming from those organizations actually trying to implement this, so that's a success story. And while the final outcome is something we only learn retrospectively, I hope we see meaningful improvements in what we call security behavior. That can be skill level, capacity of staff, self-awareness -- I think there's a set of security behaviors that are quite measureable."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group