Shutdown would not threaten NIST framework schedule

Officials at the National Institute of Standards and Technology have spent the last seven months crafting a comprehensive cybersecurity framework, triggering concerns that a critical Oct. 10 deadline could be endangered by the potential government shutdown.

However, NIST Director Patrick Gallagher on Sept. 25 said otherwise, telling a Washington cybersecurity conference audience that the preliminary draft framework is effectively complete and ready for release. He also noted that the October release is just one step in an ongoing process.

Under a February executive order from President Barack Obama, NIST has been required to release draft frameworks at specific intervals. The most recent release came in August, when an informal preliminary draft was released ahead of the agency's fourth public collaboration meeting, held in Dallas.

The formal preliminary draft framework is due Oct. 10, 240 days after the executive order, and a final version is due at the one-year mark.

"We've structured the whole 240 days to try to maximize the amount of public engagement and feedback we could get," Adam Sedgewick, NIST senior IT policy adviser, said in July. "Given the time constraints, we've used a combination of public workshops and engagements. We have people engage through our cyber framework website, and at the tail end we'll have another public comment period."

The rigid timelines mean a government shutdown beginning Oct. 1 theoretically could put the intense efforts behind schedule if those working on the project are prohibited from doing so.

"The [executive order] had specific deadlines that didn't give an out for extenuating circumstances," said one source, speaking on background.

But Gallagher indicated that the extensive work, including the broad participation of industry, that has gone into the framework allows for a release even in the event of a shutdown, and others agreed.

"Much of the draft framework has been available for several weeks, and received substantial industry input both from the workshop NIST held in Dallas and a number of separate industry meetings," said Larry Clinton, president and CEO of the Internet Security Alliance, which has been involved in the framework development process. "The framework is a work in progress, and while I don't think it's complete [and] I doubt the NIST staff thinks it's complete yet either, it is certainly far enough along to be released on time as a draft."

NIST officials have made it clear that the framework's development will continue beyond the release of both the preliminary and the final versions.

"If this process we just did over the last eight months ends up being a once-through, then we've failed," Gallagher said, according to Federal News Radio. "The technology is too dynamic, and I don't believe the framework is perfect. We expect companies who adopt it and put it into use to identify places where it makes no sense and where there are gaps. We have to operationalize this collaboration we've built and turn it into a continuous process. So right away we have to start thinking about a 2.0 version. These early adopters that take up the challenge and put this into use are going to shape the framework, and I think they'll drive the governance of the process."

That ongoing development likely will include another workshop beyond the four that already took place across the country, according to Clinton. That and other continuing efforts will help shape the framework for a formal release in February.

"They've pretty much done what they need to do for October, and [if there is a shutdown], what they released last month before Dallas will just be tweaked," said Jim Lewis, senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies. "I think they have something releasable now and will be able to move forward as planned."