Officials describe upcoming push to complete cybersecurity framework, next steps in process
Posted: October 22, 2013 – From Inside Cybersecurity
Federal officials today explained the changes reflected in the just-released preliminary framework of cybersecurity standards, set the stage for final tweaks to the document — and revealed they want to initiate a conversation on how to hand the management and growth of the framework over to the private sector.
Patrick Gallagher, director of the National Institute of Standards and Technology and under secretary of commerce for standards and technology, described the framework in a conference call with reporters as a “collection and compendium” of industry best practices and a structure for using the compendium.
The preliminary framework was released earlier today; the clock will begin ticking on a 45-day comment period that will begin once the document is published in the Federal Register in the coming days, according to a NIST spokeswoman.
Gallagher said the framework provides a way to “set and meet” cybersecurity goals across critical infrastructure sectors, at different levels within companies and for different types of entities. He cautioned that it does not provide companies with “threat proofing” and was not a “once-through” process.
“We are not done,” Gallagher said. “Risk evolves and we have to evolve with it. . . . The framework must evolve to meet industry’s needs.”
Even as NIST works to finalize the framework by a February deadline, Gallagher said, discussions will begin on what comes after this version is completed. That will be a key topic of discussion at NIST’s fifth public workshop on the framework Nov. 14-15 at North Carolina State University in Raleigh, he said.
“We want to begin discussions on handing over the framework to a industry-led governing structure,” Gallagher said.
Completing framework 1.0
“The final framework should look very much like this framework,” Gallagher said, joking that there was no “secret framework” lurking at NIST. He also said the document is intended to apply across sectors and that NIST would not be developing sector-specific elements.
In the meantime, NIST has less than four months to complete what some call framework 1.0, and plenty of lingering questions from industry.
Gallagher acknowledged concerns about what it means to actually adopt the framework, saying this was to be expected given the complexity of the subject matter and comparing it to the adoption of of “Smart Grid” standards.
“This part of the discussion is still continuing,” Gallagher said. “It will be discussed in North Carolina and it will continue to be discussed after February.”
But Gallagher stressed that there was no mandate within the framework that would compel companies to move up to higher cybersecurity implementation levels, emphasizing the voluntary nature of the program.
Gallagher also addressed questions about the expanded privacy language in the preliminary framework.
“The voluntary framework cannot create new requirements” on privacy, Gallagher said, adding that it doesn’t “foreshadow” new privacy standards for industry. He said he was looking forward to more discussion of privacy in the comment period and at the North Carolina workshop, predicting the concerns would “dissipate” as the conversation moves forward.
Gallagher said the framework offers a forum for discussing possible incentives for companies and acknowledged that Congress would probably have to weigh in on incentives. He noted that the Commerce, Homeland Security and Treasury departments have submitted recommendations on incentives to the White House but said there was no “specific process to distill those into specific recommendations.” — Charlie Mitchell (email@example.com)