Some asset owners have suggested that there are too many moving parts in the overall cybersecurity landscape and have noted rising tensions between NIST, an arm of the Commerce Department, and DHS.
"NIST and DHS aren't doing a good job in deciding how this is going to work," one expert noted.
But one senior government official overseeing the process said that many cybersecurity efforts in the EO and PPD just aren't relevant to how the framework gets developed.
"The framework is supposed to work for the widest range of industries" and therefore it doesn't matter how critical infrastructure gets defined, for example.
"DHS is making the decision that has no bearing on this framework," he said, adding that it is likely that the list of critical infrastructure assets won't be made public anyway.
Yet another challenge is the degree to which the framework process is being shaped by technology vendors and consultants, who far outnumber asset owners in the workshop meetings held to date. Although NIST wants to bake-in cybersecurity through vendor-supplied technology, thereby ensuring that even small organizations which lack resources to pay cybersecurity specialists are guaranteed basic protection, some asset owners balk at being force-fed technology that may better fit vendor agendas than their own safety. One telecom cybersecurity specialist said he wished that NIST would separate asset owners from vendors and consultants in the workshop sessions.
Despite these challenges, most of the participants in the process believe that NIST is on track and that the draft framework materials released for the July workshop meet expectations. However, the real action will take place at the workshop as NIST go into greater detail on where they're headed with the framework.
With only about three months left to meet the October deadline, most of the key players are taking a wait-and-see attitude, hoping to gain a better sense of the situation until after the workshop in San Diego. As one telecom industry representative said "we have to see whether this whole process has the result we're looking for, which is to improve our cybersecurity posture, and not some feel-good government exercise."
Sign up for CIO Asia eNewsletters.