Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
NIST's cyber framework moves toward implementation stage
Wednesday - 10/23/2013, 4:10am EDT
After eight months, the National Institute of Standards and Technology Tuesday released the cybersecurity framework for critical infrastructure providers.
But now the real work begins. NIST must move from its role of bringing more than 3,000 industry, academics and government experts together to one of persuader with a goal of making sure companies understand the benefits of implementing the framework.
Part of how NIST, and the government at large, will do that is through incentives.
In August, the White House offered some details on the recommendations provided by the departments of Homeland Security, Commerce and Treasury as to the areas where incentives could help adoption of the framework.
A White House official said Tuesday some of the eight potential areas of incentives determined by the three agencies — insurance, grants, process preference, liability limitation, streamlined regulations, public recognition, rate recovery and cybersecurity research — are immediately applicable and would be implemented now.
Others can only be implemented once the cybersecurity framework is completed, so the administration will evaluate them in full once the framework is complete, the official said in an email.
"Agencies are already beginning to work with the insurance industry to develop groundwork so that the framework can be utilized properly within the current marketplace and developing the means to use framework adoption as a criteria for cybersecurity grants," the official said. "Discussing these agency reports publicly is an interim step and does not indicate the administration's final policy position on the recommended actions. We will be making more information on these efforts available as the framework and program are completed."
Additionally, agencies will review the framework over the next three months. Those that already regulate industry sectors, such as electricity or banking, will determine if they have enough regulatory authority.
The White House official said sector-specific and other relevant agencies, most of which are non-regulatory, are actively working with the Homeland Security Department to provide information necessary to carry out the responsibilities under the Executive Order.
NIST's release of the final draft version of the framework is step one of a multi- step process. It will accept comments over the next few months and then release a final Version 1.0 in February.
Patrick Gallagher, the director of NIST, said the agency will host the fifth workshop Nov. 14 to 15 in Raleigh, N.C.
"There we will be seeking one more round of input on the framework, and we will be discussing options for an industry led governance structure of the framework going forward," he said during a call with reporters Tuesday. "We continue to work on the framework after [it's released in February]."
Gallagher said he expects the privacy and civil liberties section of the framework to draw a lot of comments in November and possibly change the most when NIST releases version 1.0 in February.
Gallagher said the framework changed little since the August version. He joked that the final draft version is one of the worst kept secrets in Washington.
The framework provides a common language for organizations to:
- Describe their current cybersecurity posture;
- Describe their target state for cybersecurity;
- Identify and prioritize opportunities for improvement within the context of risk management;
- Assess progress toward the target state;
- Foster communications among internal and external stakeholders.
The document is centered around five core functions — identify, protect, detect, respond and recover — which can provide a high-level, strategic view of an organization's management of cybersecurity risk.
Under each of these core areas, NIST identified underlying key categories and subcategories and matched them with examples, such as existing standards, guidelines and practices for each subcategory.
"The framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk," the document stated. "A key objective of the framework is to encourage organizations to consider cybersecurity risk as a priority similar to financial, safety, and operational risk while factoring in larger systemic risks inherent to critical infrastructure."
Not a silver bullet
Gallagher said the framework will mean different things to different sized organizations.
"The underlying structure of what's needed is the same. The principles are the same. [All sizes of organizations] need to be able to identify, protect, detect, respond and recover to and from cyber threats," he said. "The framework provides a way for these organizations to match up their current efforts with best practices in these various functional areas and to gauge the maturity of their own cybersecurity systems."
Gallagher added the framework also gives them a way to set goals through a roadmap toward better security and lower their risks.