Development of the new Cybersecurity Framework is now in full swing. President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity (which we previously covered) calls on NIST to lead the development of a Cybersecurity Framework that will provide “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risk.” Pursuant to the Executive Order, NIST must publish a preliminary version of the Framework by October 2013 and a final version by February 2014. This is a significant development in the United States because, once finalized, the Framework will likely become an authoritative benchmark against which the cybersecurity efforts of businesses across many sectors and industries will be measured.
The Executive Order requires NIST to engage in an “open public review and comment process” to develop the Framework. To that end, NIST has set up a series of workshops and requests for written comments to inform the Framework’s development. And NIST has established a website to host all materials related to its development of the Cybersecurity Framework. On April 3, NIST hosted the first such workshop to kick off the discussion. Reflecting the significance of the Framework’s development, the auditorium hosting the workshop was packed, with numerous additional attendees participating via webcast.
The opening workshop was an all-day event consisting of brief remarks and panel discussions. Among the presenters were NIST and DHS representatives, several senior officials from a broad cross-section of industries, and representatives from five different sector-specific Information Sharing & Analysis Centers (ISACs). Commerce Deputy Secretary Rebecca Blank’s opening remarks noted that the workshop is the first in a series of workshops and requests for comments, all aimed at providing NIST with as much outside input as possible to shape the Framework’s development. Deputy Secretary Blank told attendees, “I can’t emphasize this enough: the success of this effort is largely dependent on industry involvement.”
A few key themes emerged from the workshop’s participants:
- Numerous presenters stressed that NIST should not “reinvent the wheel” and should liberally draw on existing multistakeholder efforts to address cybersecurity concerns. In response, NIST representatives noted their intent to draw on existing best practices and standards as much as possible.
- Many of the industry representatives expressed their view that, for information sharing to be effective, Congress needed to legislate to address the antitrust, privacy, and liability protection concerns.
- Many presenters also highlighted the importance of the Framework supporting enterprise risk management rather than emphasizing check-the-box compliance.
At this opening workshop, NIST announced that it will hold three additional workshops before October’s release of the preliminary Framework. The upcoming workshops, which NIST promised would be more interactive, will cover the following topics:
- Managing Risk
- Cyber Hygiene
- Tools and Metrics
There are already two different requests for comments relating to the Cybersecurity Framework. NIST’s first Request for Information includes thirty-three specific questions, as well as open-ended inquiries, concerning current risk management practices; use of frameworks, standards, guidelines, and best practices; and specific industry practices. Written comments, which will be publicly available, are due by 5 p.m. Eastern time on April 8. And the Department of Commerce has published a Notice of Inquiry seeking input on ways to promote adoption of the Framework, including incentives that would require changes in law. Written comments are due by April 29.
Paul Otto, an associate in our Washington office, contributed to this entry.