NIST cyber framework depends on you

The National Institute of Standards and Technology’s draft cybersecurity framework is a stepping stone toward an October deadline for a preliminary plan -- and ultimately to a "final" document due in February 2014 under President Barack Obama's cyber executive order.

To get there, NIST continues to depend on industry and the public's involvement in creating comprehensive guidelines that are adoptable and effective. The new draft, released Aug. 28, comes just weeks ahead of NIST's fourth workshop, to be held in Dallas Sept. 11-13.

It is a pattern NIST has come to rely on in the creation of the cyber framework, said Adam Sedgewick, NIST senior IT policy advisor.   The agency releases information asking for feedback, presents the feedback at a public workshop to launch discussion of key issues, then posts online the information from the workshop discussions that help inform the next iteration of a draft framework.

"We've structured the whole 240 days [given in the executive order to issue the October draft] to try to maximize the amount of public engagement and feedback we could get," Sedgewick said.  "Given the time constraints, we've used a combination of public workshops and engagements.  We have people engage through our cyber framework website, and at the tail end we'll have another public comment period."

Through the process, NIST officials have been able to present the most comprehensive draft framework yet -- one that fleshes out the core of the guidance and proposed metrics for assessing an organization's cybersecurity standings, for example. The Aug. 28 version builds on a more skeletal iteration from July, and the forthcoming versions will continue that pattern of building on each other using feedback from stakeholders.

"The process lets us see the gap areas and common themes," Sedgewick said. "Are we reflecting the comments right, and is this the right path?"  

Between now and October, architects of the framework hope to have discussions about a range of key issues, including:

• whether  the framework adequately addresses civil liberties and privacy;
• how it can enable cost-effective implementation;
• how it can provide the right tools to senior executives and boards of directors to understand risk management;
• ensuring that the framework is inclusive of, not disruptive to, cybersecurity practices an organization has in place.

"We hope to really begin validating this document so we can continue to improve it with time. The Dallas workshop will help to get that information and feedback that we feel is critical to making this a successful approach," Sedgewick said. He added that those who cannot make it to Dallas can submit comments via e-mail at cyberframework@nist.gov, and that once the October preliminary framework is out there will be a formal comment period posted in the Federal Register.

But don't expect any downtime between October and the due date in February. Dialogue will be ongoing, Sedgewick said, and even though the "final" version of the framework is due in February, it will still continue to evolve beyond then.

"After October we're going to continue to kick this higher. We're coming to the stage where we're looking at implementation and we get to see what it looks like when it's put into practice," he said. "We don’t see February as the end. We see February as another step in the process and we will continue to work with other agencies on other pieces of the executive order."