Comments on NIST Cybersecurity Framework show work remains

Industry representatives expressed the need to expand the framework and raise awareness

The National Institute of Standards and Technology Cybersecurity Framework has given the private sector a strong foundation for protecting computer networks, but businesses need more guidance about how to implement it and a mechanism to share best practices.

That’s the take away from more than 100 responses to NIST’s December request for feedback on the framework. Respondents to the agency’s request for information  included cybersecurity firms, research and trade organizations, local governments, infrastructure companies and even tech giants such as Microsoft. It was a diversity that Michael Barrett, the program manager for the framework, called a pleasant surprise.

“Of all the dimensions of [the responses], the diversity makes me the happiest,” he told FedScoop in an interview. “We saw local, state, national and even international government — foreign governments. To see so many parties outside of infrastructure — that’s so cool.”

The Framework was originally released in 2014 as a guide for private sector owners and operators of vital U.S. industries, known as critical infrastructure, to improve their cybersecurity. But since then its broad, thematic structure and voluntary status has endeared it to companies and other organizations from a wide variety of business sectors and from other areas like local government.    


Last week, NIST released an analysis of the responses that highlights several themes, and shows that there is wide support for the framework to be maintained and updated.

“We recommend that guidelines be provided so that organizations that have had little to no experience with training can, at the very least, have a starting point,” said CompTIA, an IT industry association. “This is especially helpful for the [small-to-medium business] community that may not have the background knowledge and very often the resources needed to vet various training options.”

Other responders advocated for a set of case studies to be released, and for the establishment of a forum for the exchange of best practices related to infrastructure security.

“There is currently no forum for the free exchange of ideas,” said the Health Information Trust Alliance, or HITRUST. “While valuable, the NIST [Cybersecurity Framework] Industry Resources Website has limited content, and the addition of such content is strictly controlled by NIST. Case studies or similar accounts of an organization’s experience implementing the NIST [framework] could help other organization’s leverage lessons learned by early adopters.”

Asked about the calls for such a forum, Barrett replied that the need was already on NIST’s radar.


“When we first released Version 1.0, the notion of a forum was something we thought perhaps would be needed at some point. Looking at the responses, we’re thinking perhaps that time is here,” he said. “That brings us to followup questions: so, we’ve identified the need for a forum: Is that NIST thing? Another government agency? Something industry wants to manage themselves?”

Many organizations also responded to the idea that the framework should be transitioned into the hands of a third party, rather than remain under the custodianship of NIST. While many respondents advocated a gradual shift towards industry control, nearly all expressed the desire for sustained NIST influence.

“Our organization believes that the private sector should eventually govern the framework, but NIST needs to keep one hand on the wheel,” said the U.S. Chamber of Commerce. “NIST must maintain a key role in collaborating with industry and engaging foreign organizations and governments.”

According to Barrett, the purpose of questions regarding the inclusion of industry was not to suggest a NIST phase-out but rather to extend an opportunity for the private sector to take up a leadership role in safeguarding infrastructure.

“It can feel like passing of the torch, but the way we think about it is as a circumstance where we continue to be involved, and the question we mean to ask industry is: is there a larger role for you? You participated here in a substantive way – is there a place in all of this for industry and academia as far as governing the framework?”


The framework consists of a core set of standards and cybersecurity activities, a tiered system to gauge implementation, and test profiles of what the cybersecurity set-up of companies adhering to the framework should aim to look like.

Microsoft, while stressing that the framework has sparked productive internal dialogue, said that broadening the scope and honing the basic elements would enhance its relevance and further NIST’s goal of spreading awareness.

“The Framework has established a meaningful way for Microsoft to discuss, assess, and refine our cybersecurity risk management maturity,” J. Paul Nicholas, Microsoft’s senior director of Global Security Strategy and Diplomacy, states in a comment. “Updates to the Profile, Implementation Tiers, and Core will foster greater usability, and substantive updates, especially to support additional NIST guidance around authentication, will add important value.”

Barrett said that NIST was already working on honing these issues, and that a great deal of this work would be accomplished at the Cybersecurity Framework Workshop 2016 to be held at NIST’s Gaithersburg site next week.

“There was nothing that really took me by surprise,” he said. “On some of these questions, there wasn’t really a definitive yes or no conclusion: for example, the notion of an update got a mixed bag of responses.” 


“We’ll be attentive to that at the workshop. We’ll be asking ourselves: what are the respondents and attendees really trying to tell us here?”

Latest Podcasts