"Now what we've developed is a framework for people working together," Jack Whitsitt, Principal Analyst for energy industry cybersecurity consortium EnergySec said. "Industry was wildly supportive, they showed up and gave input and their input was accepted. That's phenomenal."
"NIST has been trustworthy," according to one chief security officer involved in the process, who noted that the latest version of the framework goes a long way to correcting some of the problems he flagged. "The venues for the community to collaborate and talk with each other" for the common good has been one of the most positive aspects of the framework's development, he said.
Even so, the latest version of the framework itself still falls short of offering a viable means for effectively improving cybersecurity practices, many participants said. "Actually reducing cybersecurity risks has not been part of the conversation" Whitsitt said. "We shouldn't lose sight that we haven't worked on the problem of effectiveness."
One continued prominent problem with the framework, which many participants have discussed throughout the process, is that it lacks clear guidance as to what actually constitutes adoption of the framework. "I still don't know what it means to adopt the framework," Larry Clinton, head of the Internet Security Alliance said. Without a clear definition of what adoption means, the framework could be relatively toothless, leaving it up to individual organizations to simply assert adoption without any means of assessing whether they have.
Another central issue that hasn't been resolved is the lack of prioritization, particularly for small and mid-sized firms unversed in the complex lingo of cybersecurity practices. "It doesn't help people put [things] in useful order," Whitsitt said.
Clinton also said that the framework still misses the mark in terms of meeting the EO's requirements that the framework provide a cost-effective approach. "They seem to be affirmatively walking away from the very specific order that the framework be prioritized and that it be cost-effective. It's probably one of the things most needed by their target audience. The question is where do I spend it? Where do I get the best bang for the buck?"
Another chief ongoing concern is the degree to which the framework might become mandatory for many critical infrastructure sectors through regulatory maneuvers. Although the EO stipulates that the framework is voluntary, it also requires relevant federal agencies to submit a report to the President stating whether they have clear authority to establish requirements based on the framework.
That report is due within 90 days of October 22, the date when NIST published its latest version, or on January 20, 2014, closely before NIST finalizes the framework. The original deadline for publication of the final framework prior to the government shutdown was February 12, 2014, a deadline that NIST is still hoping to meet despite the delay.
Sign up for CIO Asia eNewsletters.