After delays due to the government shutdown, the National Institute of Standards and Technology (NIST) released on October 22 its latest version of a comprehensive cybersecurity framework for critical infrastructure as mandated by President Obama's February cybersecurity executive order (EO). This preliminary framework is subject to a 45-day public comment period, after which NIST will make revisions and then produce a final framework for publication in February.
Based on feedback received before, during and after a September workshop in Dallas, the fourth such meeting since the framework process kicked off in February, NIST incorporated a number of changes into the framework documents and introduced an additional document that offers an alternative mapping of key standards and reference materials used in the framework. The framework consists of five functions, twenty-two categories, ninety-seven subcategories and hundreds of informative standards and references.
Chief among the extensive changes is the introduction of a detailed methodology to protect privacy and civil liberties, modeled on the Fair Information Practice Principles (FIPPs) referenced in the Executive Order, which also stipulates that the framework should incorporate methodologies to mitigate any impact the framework might have on privacy and civil liberty. Another notable addition, in the areas for further improvement of the framework, is a discussion of the need for a skilled cybersecurity workforce.
Because this version of the framework is the first "official" unveiling of NIST's effort to date, meeting a mandatory milestone in the EO through publication of the preliminary framework in the Federal Register, many trade associations, industry groups and corporations publicly lauded the government group's efforts, with most adopting a wait-and-see attitude before embracing the actual framework itself. "We appreciate the collaborative efforts led by Patrick Gallagher and NIST which sought significant input from many public and private stakeholders across the 16 critical infrastructure sectors," the National Cable & Telecommunications Association said in a statement.
"TIA applauds NIST and Director Gallagher for their commitment to fulfill the President's goals in his February 2013-issued Executive Order to strengthen the nation's resilience to cybersecurity vulnerabilities," Grant Seiffert, President of the Telecommunications Industry Association said.
McAfee Federal Director Tom Conway, meanwhile, released a statement that did actually praise the framework itself. "One of the great things about the NIST Preliminary Cybersecurity Framework is that it reflects a true public-private collaboration," he said. "There's been a lot of talk about public-private partnership in cyber security, but this framework goes beyond rhetoric: it's the real deal."
Although most of these positive statements reflect typical political posturing to ensure continued key player status in Washington, they nonetheless also reflect the genuine goodwill among the hundreds of participants who have gathered together four times (with a fifth meeting scheduled in November) for mostly multi-day intensive meetings to help NIST hammer out the framework. The noted sense of collaboration and community, and the willingness of NIST to deal with and incorporate often fractious feedback, is the signal achievement of the framework process, many participants said.
Sign up for CIO Asia eNewsletters.