NIST releases preliminary cybersecurity framework as ‘living document’
The National Institute of Standards and Technology today released its preliminary cybersecurity framework to help critical infrastructure owners and operators identify security best practices and reduce cybersecurity risks.
NIST, a component of the Commerce Department, plans to release the final framework in February 2014, as called for in an executive order issued earlier this year by President Barack Obama.
That order, Executive Order 13636 – Improving Critical Infrastructure Cybersecurity, directed NIST to work with the private sector, which owns and operates more than 85 percent of the nation’s critical infrastructure, to develop a voluntary framework for reducing cyber risks. NIST had originally planned to released the preliminary framework Oct. 10, but those plans were delayed by the government shutdown.
Patrick Gallagher, Commerce’s undersecretary for standards and technology who also serves as director of NIST, characterized the framework as “a living document” and said the planned release of the final version in February 2014 will not be the end of the process.
“This is not a once through,” said Gallagher, speaking to reporters Tuesday during a press briefing. “We are not done. Cyber-threats are going to continue to evolve, and cyber-risk management has to therefore evolve with them.”
Release of the preliminary framework comes on the heels of a discussion draft released in August. The latest version outlines a set of steps that can be customized to various sectors and adapted by both large and small organizations while providing a consistent approach to cybersecurity, Gallagher said, emphasizing the voluntary nature of the guidelines designed to help companies “tailor a self-improvement process” for cybersecurity.
“There’s quite a bit of meat there in terms of best practices,” Gallagher said. But responding to questions about the framework’s lack of specificity, Gallagher said it was designed deliberately to be “usable, adaptable and scalable” for a wide variety of companies from different industries.
In fact, if there is one thing different about the NIST framework it is the “remarkable diversity of companies” that have contributed to the formulation of the guidelines, he said.
But there remain significant questions about the ability of a voluntary framework to lift the bar dramatically across the cybersecurity landscape of critical infrastructure owners and operators without Congress stepping in and providing some sort of financial or liability protection incentives in return for adherence.
“There will be a role for Congress,” Gallagher said. “But I don’t think it’s an issue of whether the framework can succeed without Congress.” Rather, the framework can provide “a real lens” for looking at the incentive discussion, he said.
“From the beginning, the president envisioned this as a voluntary effort that would be based on consensus standards and industry best practices to the extent possible,” Gallagher said. “And from the beginning, we wanted to make sure this was something that was flexible and able to be tailored to the needs of individual businesses,” he said. “This had to be a product of industry.”
So far, more than 3,000 cybersecurity practitioners have participated in the framework development, Gallagher said.
Gallagher described the framework as a compendium of “proven” best practices for protecting information, networks and privacy from cyber-threats. “Ultimately, what we want to do is turned today’s best practices into common and expected practices,” he said.
But the framework does not guarantee security, Gallagher said. “What the framework does not do is provide threat-proofing,” he said. “There is not a magic bullet here. This is not about eliminating cyber-risks; the framework is about managing them effectively.”
NIST plans to hold its fifth and final discussion workshop Nov. 14 at North Carolina State University in Raleigh, N.C. In addition to collecting a final round of input on the framework, Gallagher said NIST will be discussing options for establishing an industry-led governance structure for the framework.
Between now and February, however, NIST will be working closely with the federal agencies that have regulatory authority over specific industries to determine how it will impact their oversight of the companies in their industries. But Adam Sedgewick, a senior IT policy adviser who has been leading NIST’s work on the cybersecurity framework, said he does not believe the baseline recommendations outlined in the preliminary framework will clash with existing regulation regimes and there will be plenty of time for agencies to review how their regulations can fit into the framework process.
But many experts remain concerned about the framework’s privacy provisions. As FedScoop reported Oct. 16, some cybersecurity and critical infrastructure protection experts view the framework’s treatment of privacy and civil liberties as a “wild card,” arguing the language could lead to additional costly privacy regulations.
When FedScoop asked Gallagher directly if there should be any cause for concern about the potential impact of the framework’s treatment of privacy, he was adamant the framework was powerless to create new regulations or requirements for private industry.
“For a voluntary framework, it cannot create any new requirements for anybody,” Gallagher said. “And I do not believe that the language that was put in was designed to foreshadow or imply or create any new mandates or requirements,” he said.
NIST is expecting and open to additional comments on the framework’s privacy language, Gallagher said, adding he expects the concerns to “dissipate” as the agency refines the language.
As for the desire of some to see more specific guidance in the treatment of cybersecurity best practices, Gallagher said industry should not expect big surprises between now and February.
“The final framework should look like this framework,” he said. “There’s no secret framework in our hip pocket.”