New cyber framework draft sharpens focus on implementation

After a nearly two-week delay caused by the government shutdown, the National Institute of Standards and Technology released the latest version of its cybersecurity framework on Oct. 22, and it aims to better secure U.S. companies and government agencies.

The new draft, originally slated for an Oct. 10 release, goes into significantly greater detail than the version released Aug. 28, which laid out the framework's core, implementation tiers and profile. Those three central pillars are designed to provide industry and government with a common cybersecurity taxonomy, establish goals and targets, identify and prioritize opportunities for improvement, assess progress and improve communication among stakeholders.

In the latest draft, there is sharpened and expanded focus on specific areas, including implementation logistics, privacy and civil liberties. Furthermore, the cybersecurity workforce has been added as an area in particular need of improvement.

During a call with reporters on Oct. 22, NIST Director Patrick Gallagher said areas that saw the most change between the two drafts were identified in discussions with industry, government and academia, especially those stemming from the most recent public meeting held in Dallas in September.

"The real focus following the last workshop in Dallas until now had to do with clarifications, expanded sections, and privacy and civil liberties considerations," Gallagher said. "There was always that requirement in the executive order, and I think there was a real focus in Dallas to bring that section out. There's additional guidance in the framework on how to use it -- some structural issues in how to think about the tiers and how to crosswalk between certain functional areas and practices. So a lot [of changes are] around usability and the methodology and practices surrounding civil liberties."

Another change in the new draft is the inclusion of the cybersecurity workforce as a key area for improvement, an issue that was not mentioned in the previous draft.

"While it is widely known that there is a shortage of general cybersecurity experts, there is also a shortage of qualified cybersecurity experts with an understanding of the specific challenges posed to critical infrastructure," the latest draft states. "As the critical infrastructure threat and technology landscape evolves, the cybersecurity workforce must continue to adapt to design, develop, implement, maintain and continuously improve the necessary practices within critical infrastructure environments."

The idea of continued evolution in the document and the conversations surrounding it is a theme in the cybersecurity framework -- something that officials have stressed over the course of the year and that will continue to be a priority, Gallagher said.

For example, conformity and how it will be measured is still very much an evolving subject, as is the governance structure. He said the public workshop in Raleigh, N.C., in November will include discussion of options for an industry-led governance structure in the framework.

"This is not a once-through -- we are not done," Gallagher said. "Cyber threats are going to continue to evolve, [and] cyber risk management has to therefore evolve with them. The framework must be a living document, allowing for continuous improvement as technology and threats change and as businesses mature. It must evolve to meet business needs in real time."

The final draft is due in February 2014, a year after President Barack Obama directed NIST to establish the guidelines.