The National Institute of Standards and Technology (NIST) held a fifth workshop in Raleigh, North Carolina last week on the comprehensive, preliminary cybersecurity framework mandated under President Obama's February 2012 executive order, the last such gathering before the framework becomes final in February.
NIST's goals for this previously unscheduled workshop were to solicit further feedback from the hundreds of cybersecurity specialists, attorneys, policymakers and government employees in attendance and offer guidance on what lies ahead in applying and updating it.
Most of the attendees were pleased with how rapidly the framework, intended to improve cybersecurity across sixteen critical infrastructure industries, moved from concept to sophisticated model in less than a year. But a number of perceived problems still surround the framework's usefulness, applicability and scope.
The current version of the framework "is the culmination of a successful effort over the course of many months to identify the key issues and where there might be industry consensus," Robert Mayer, Vice President of Industry and State Affairs at telecom trade association US Telecom said. But, he added, "it's still clear that several major issues require additional clarification, including the definition of adoption, the availability of incentives and the criteria for measuring success."
The issue of what constitutes adoption of the framework, and the related question about what incentives will be available for adopting it, have been identified throughout the development process as potential drawbacks to ensuring that the framework achieves its intended purpose. There are no bright lines that define adoption in the existing version of the framework, which some critical infrastructure owners say suits them just fine.
"From my perspective the framework should be used as a guideline," Chris Boyer, Assistant Vice President, Global Public Policy at AT&T said during a panel discussion. "Ultimately the adoption should be left up to the owners and operators of critical infrastructure."
Still, "it's just not clear what it means to adopt the framework," Larry Clinton, President of the Internet Security Alliance (ISA) said. "Uncertainty leads to underinvestment. They [critical infrastructure asset owners] will not know whenever an investment will qualify as an investment to the framework."
The ISA has proposed that a beta test be developed in order to not only track the issues that come up with implementation but also to develop data that would be useful in promoting long-term adoption of the cybersecurity model. "Let's have a systematic trial with industry and government collaborating through the sector coordinating councils [established under the Department of Homeland Security (DHS)]", Clinton said.
The beta test concept was a frequent off-agenda topic of discussion among the workshop attendees but NIST officials seemed lukewarm to the idea.
"It's another proposal that's out there," Adam Sedgewick, key organizer of the framework development process said. "This whole process has been beta testing."
Sign up for CIO Asia eNewsletters.