recommended reading

NIST Works to Drum Up Cyber Standards Support

Barack Obama signed an cybersecurity executive order last month

Barack Obama signed an cybersecurity executive order last month // Carolyn Kaster/AP

The National Institute of Standards and Technology has started visiting businesses to rally support for a nationwide cybersecurity program called for by a February executive order.

The Feb. 12 mandate directed NIST, a Commerce Department agency, to develop standard guidelines for protecting computer operations in key sectors. On Monday, at an industry briefing organized by law firm Venable LLP, government officials stressed the guidelines will not be performance standards. The protections, however, would become mandatory for certain companies under a White House legislative proposal, so the order has raised questions among lobbying groups.   

A draft “cybersecurity framework” – the official term for the voluntary regulations -- is expected to be released by November, said Ari Schwartz, a Commerce senior policy adviser.  NIST has published a formal notice requesting input from businesses and scheduled a brainstorming workshop for April 3 in Gaithersburg, Md. Future meetings to solicit feedback will not all be held in the suburbs, Adam Sedgewick, NIST senior information technology policy advisor, assured the audience, which was watching remotely via Webcast and at Venable's Washington office.

About 300 individuals had registered for the April session as of Monday, a NIST spokeswoman said after the Venable briefing.

The agency is making the rounds at a time when most businesses outside Washington likely do not even know there will be a nationwide cybersecurity program. About 82 percent of U.S. executives are not familiar with President Obama’s order, according to a March 4 survey of nearly 2,000 chief technology and chief financial officers, along with other top officials, conducted by consulting firm Deloitte. Close to 79 percent polled said they were not very confident in their organization’s ability to protect information systems and data from intrusions.  

Schwartz said the recommended practices largely will be aimed at firms managing “critical infrastructure” vital to daily living, such as banks, gas pipelines and water treatment facilities. The framework is not intended to provide “one-size-fits-all technical solutions,” he said.

At the April workshop, officials want to learn how organizations currently are managing risks and the types of industry cyber guidelines that already exist. In the future, “we certainly see ourselves traveling and going out and speaking” at meetings of the Critical Infrastructure Partnership Advisory Council, a public-private effort, and other events, Sedgewick said.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.