NIST's cyber framework moves toward implementation stage

Wednesday - 10/23/2013, 4:10am EDT

Jason Miller reports.

Download mp3

After eight months, the National Institute of Standards and Technology Tuesday released the cybersecurity framework for critical infrastructure providers.

But now the real work begins. NIST must move from its role of bringing more than 3,000 industry, academics and government experts together to one of persuader with a goal of making sure companies understand the benefits of implementing the framework.

Part of how NIST, and the government at large, will do that is through incentives.

In August, the White House offered some details on the recommendations provided by the departments of Homeland Security, Commerce and Treasury as to the areas where incentives could help adoption of the framework.

A White House official said Tuesday some of the eight potential areas of incentives determined by the three agencies — insurance, grants, process preference, liability limitation, streamlined regulations, public recognition, rate recovery and cybersecurity research — are immediately applicable and would be implemented now.

Others can only be implemented once the cybersecurity framework is completed, so the administration will evaluate them in full once the framework is complete, the official said in an email.

"Agencies are already beginning to work with the insurance industry to develop groundwork so that the framework can be utilized properly within the current marketplace and developing the means to use framework adoption as a criteria for cybersecurity grants," the official said. "Discussing these agency reports publicly is an interim step and does not indicate the administration's final policy position on the recommended actions. We will be making more information on these efforts available as the framework and program are completed."

Multi-step process

Additionally, agencies will review the framework over the next three months. Those that already regulate industry sectors, such as electricity or banking, will determine if they have enough regulatory authority.

The White House official said sector-specific and other relevant agencies, most of which are non-regulatory, are actively working with the Homeland Security Department to provide information necessary to carry out the responsibilities under the Executive Order.

NIST's release of the final draft version of the framework is step one of a multi- step process. It will accept comments over the next few months and then release a final Version 1.0 in February.

Patrick Gallagher, the director of NIST, said the agency will host the fifth workshop Nov. 14 to 15 in Raleigh, N.C.

"There we will be seeking one more round of input on the framework, and we will be discussing options for an industry led governance structure of the framework going forward," he said during a call with reporters Tuesday. "We continue to work on the framework after [it's released in February]."

Gallagher said he expects the privacy and civil liberties section of the framework to draw a lot of comments in November and possibly change the most when NIST releases version 1.0 in February.

Gallagher said the framework changed little since the August version. He joked that the final draft version is one of the worst kept secrets in Washington.

The framework provides a common language for organizations to:

  • Describe their current cybersecurity posture;
  • Describe their target state for cybersecurity;
  • Identify and prioritize opportunities for improvement within the context of risk management;
  • Assess progress toward the target state;
  • Foster communications among internal and external stakeholders.

The document is centered around five core functions — identify, protect, detect, respond and recover — which can provide a high-level, strategic view of an organization's management of cybersecurity risk.

Under each of these core areas, NIST identified underlying key categories and subcategories and matched them with examples, such as existing standards, guidelines and practices for each subcategory.

"The framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk," the document stated. "A key objective of the framework is to encourage organizations to consider cybersecurity risk as a priority similar to financial, safety, and operational risk while factoring in larger systemic risks inherent to critical infrastructure."

Not a silver bullet

Gallagher said the framework will mean different things to different sized organizations.

"The underlying structure of what's needed is the same. The principles are the same. [All sizes of organizations] need to be able to identify, protect, detect, respond and recover to and from cyber threats," he said. "The framework provides a way for these organizations to match up their current efforts with best practices in these various functional areas and to gauge the maturity of their own cybersecurity systems."

Gallagher added the framework also gives them a way to set goals through a roadmap toward better security and lower their risks.