The cyber framework: What's next

Some in the private sector argue that legislation will be needed to provide the incentives necessary for the NIST standards to be widely adopted.

keyhole digital

A week after the White House's release of a comprehensive cybersecurity framework aimed at critical infrastructure, government leaders and industry experts are looking ahead to what comes next, with a focus on creating incentives and measuring success.

The National Institute of Standards and Technology embarked on a year-long process engaging stakeholders and developing the cyber framework, released on Feb. 12. Now federal agency leaders, owners and operators of critical infrastructure and executives at other organizations are figuring out what the framework means to them and how to implement its practices and methodology.

NIST officials continue to stress that the framework is just the first version of several to come, and that the collaborative process employed in the development of version 1.0 will continue, beginning in April with discussions on privacy. But for now, the focus is on implementation -- a process that NIST Director Patrick Gallagher hopes will reveal gaps in the framework.

"We deliberately created a pause in engagement ... for the very reason that I didn't want to get in the way of the adoption piece," Gallagher said Feb. 19 at the Brookings Institution in Washington. "I'm not expecting major revisions to the framework itself; the major impetus is going after gap areas and maturing the governance discussion. We should now start seriously ... setting up a governance scheme where many companies can work together to turn this into a routine process. We've had success with that in cloud sector and smart grid, and we'd like to continue it here as well."

Outside of government, the general response has been a sense of cautious optimism. But Larry Clinton, director of the Internet Security Alliance, pointed out the commercial cybersecurity looks different than national security, and this is just the beginning of efforts that will bridge the gap between the two.

"The framework is not answer to the cybersecurity problem, but it's a step in the right direction," Clinton said Feb. 19 in a webcast hosted by law firm Venable. "To put it in an Olympic context, this is the preliminaries and we still have to make it to the final rounds. And like in the Olympics, the competition gets tougher as you go along."

Many of the biggest questions about the framework center on familiar areas: the role of potential legislation and regulatory measures, incentivization and metrics for success.

"Now the focus shifts to adoption. There are no strong mechanisms for measuring adoption, that's yet to emerge," said Jamie Barnett, co-chair of Venable's telecommunications group and a partner in the firm's cybersecurity practice. "There's motivation to stave off regulatory action [and] questions over whether incentives are enough; legislation is still needed to provide the incentives necessary for widespread adoption."

Gallagher defended his agency's work, particularly against the notion that the framework is "toothless" because it relies on voluntary compliance, and that there's too much focus on NIST controls -- the agency's guidelines and security publications, which account for much of its influence in the field.

"If you think regulation is a result of market failure, this is your opportunity to make sure the market doesn't fail. The most powerful force driving adoption is companies themselves. This is not just what you do internally," Gallagher said, but the relationship with suppliers, customers and other parts of a sector. "The framework is not about controls. ... our CIOs are drowning in piles of controls to look at. What's unique about the framework from a government perspective is the management approach of how to run a department. It makes cost allocation, skill sets [and] hiring decisions just as much a part of cybersecurity as controls."

Gallagher said that the framework's success or failure will take time to determine, but there are ways to see its impact taking shape.

"I think of the success story as having two elements," he said. "One is near term; that's the adoption. Is this inevitable? We're struggling with the nuts-and-bolts issues ... and it's coming from those organizations actually trying to implement this, so that's a success story. And while the final outcome is something we only learn retrospectively, I hope we see meaningful improvements in what we call security behavior. That can be skill level, capacity of staff, self-awareness -- I think there's a set of security behaviors that are quite measureable."

NEXT STORY: Automated passport system expands

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.