The cyber framework: What's next

keyhole digital

A week after the White House's release of a comprehensive cybersecurity framework aimed at critical infrastructure, government leaders and industry experts are looking ahead to what comes next, with a focus on creating incentives and measuring success.

The National Institute of Standards and Technology embarked on a year-long process engaging stakeholders and developing the cyber framework, released on Feb. 12. Now federal agency leaders, owners and operators of critical infrastructure and executives at other organizations are figuring out what the framework means to them and how to implement its practices and methodology.

NIST officials continue to stress that the framework is just the first version of several to come, and that the collaborative process employed in the development of version 1.0 will continue, beginning in April with discussions on privacy. But for now, the focus is on implementation -- a process that NIST Director Patrick Gallagher hopes will reveal gaps in the framework.

"We deliberately created a pause in engagement ... for the very reason that I didn't want to get in the way of the adoption piece," Gallagher said Feb. 19 at the Brookings Institution in Washington. "I'm not expecting major revisions to the framework itself; the major impetus is going after gap areas and maturing the governance discussion. We should now start seriously ... setting up a governance scheme where many companies can work together to turn this into a routine process. We've had success with that in cloud sector and smart grid, and we'd like to continue it here as well."

Outside of government, the general response has been a sense of cautious optimism. But Larry Clinton, director of the Internet Security Alliance, pointed out the commercial cybersecurity looks different than national security, and this is just the beginning of efforts that will bridge the gap between the two.

"The framework is not answer to the cybersecurity problem, but it's a step in the right direction," Clinton said Feb. 19 in a webcast hosted by law firm Venable. "To put it in an Olympic context, this is the preliminaries and we still have to make it to the final rounds. And like in the Olympics, the competition gets tougher as you go along."

Many of the biggest questions about the framework center on familiar areas: the role of potential legislation and regulatory measures, incentivization and metrics for success.

"Now the focus shifts to adoption. There are no strong mechanisms for measuring adoption, that's yet to emerge," said Jamie Barnett, co-chair of Venable's telecommunications group and a partner in the firm's cybersecurity practice. "There's motivation to stave off regulatory action [and] questions over whether incentives are enough; legislation is still needed to provide the incentives necessary for widespread adoption."

Gallagher defended his agency's work, particularly against the notion that the framework is "toothless" because it relies on voluntary compliance, and that there's too much focus on NIST controls -- the agency's guidelines and security publications, which account for much of its influence in the field.

"If you think regulation is a result of market failure, this is your opportunity to make sure the market doesn't fail. The most powerful force driving adoption is companies themselves. This is not just what you do internally," Gallagher said, but the relationship with suppliers, customers and other parts of a sector. "The framework is not about controls. ... our CIOs are drowning in piles of controls to look at. What's unique about the framework from a government perspective is the management approach of how to run a department. It makes cost allocation, skill sets [and] hiring decisions just as much a part of cybersecurity as controls."

Gallagher said that the framework's success or failure will take time to determine, but there are ways to see its impact taking shape.

"I think of the success story as having two elements," he said. "One is near term; that's the adoption. Is this inevitable? We're struggling with the nuts-and-bolts issues ... and it's coming from those organizations actually trying to implement this, so that's a success story. And while the final outcome is something we only learn retrospectively, I hope we see meaningful improvements in what we call security behavior. That can be skill level, capacity of staff, self-awareness -- I think there's a set of security behaviors that are quite measureable."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group