The cyber framework: What's next

Some in the private sector argue that legislation will be needed to provide the incentives necessary for the NIST standards to be widely adopted.

keyhole digital

A week after the White House's release of a comprehensive cybersecurity framework aimed at critical infrastructure, government leaders and industry experts are looking ahead to what comes next, with a focus on creating incentives and measuring success.

The National Institute of Standards and Technology embarked on a year-long process engaging stakeholders and developing the cyber framework, released on Feb. 12. Now federal agency leaders, owners and operators of critical infrastructure and executives at other organizations are figuring out what the framework means to them and how to implement its practices and methodology.

NIST officials continue to stress that the framework is just the first version of several to come, and that the collaborative process employed in the development of version 1.0 will continue, beginning in April with discussions on privacy. But for now, the focus is on implementation -- a process that NIST Director Patrick Gallagher hopes will reveal gaps in the framework.

"We deliberately created a pause in engagement ... for the very reason that I didn't want to get in the way of the adoption piece," Gallagher said Feb. 19 at the Brookings Institution in Washington. "I'm not expecting major revisions to the framework itself; the major impetus is going after gap areas and maturing the governance discussion. We should now start seriously ... setting up a governance scheme where many companies can work together to turn this into a routine process. We've had success with that in cloud sector and smart grid, and we'd like to continue it here as well."

Outside of government, the general response has been a sense of cautious optimism. But Larry Clinton, director of the Internet Security Alliance, pointed out the commercial cybersecurity looks different than national security, and this is just the beginning of efforts that will bridge the gap between the two.

"The framework is not answer to the cybersecurity problem, but it's a step in the right direction," Clinton said Feb. 19 in a webcast hosted by law firm Venable. "To put it in an Olympic context, this is the preliminaries and we still have to make it to the final rounds. And like in the Olympics, the competition gets tougher as you go along."

Many of the biggest questions about the framework center on familiar areas: the role of potential legislation and regulatory measures, incentivization and metrics for success.

"Now the focus shifts to adoption. There are no strong mechanisms for measuring adoption, that's yet to emerge," said Jamie Barnett, co-chair of Venable's telecommunications group and a partner in the firm's cybersecurity practice. "There's motivation to stave off regulatory action [and] questions over whether incentives are enough; legislation is still needed to provide the incentives necessary for widespread adoption."

Gallagher defended his agency's work, particularly against the notion that the framework is "toothless" because it relies on voluntary compliance, and that there's too much focus on NIST controls -- the agency's guidelines and security publications, which account for much of its influence in the field.

"If you think regulation is a result of market failure, this is your opportunity to make sure the market doesn't fail. The most powerful force driving adoption is companies themselves. This is not just what you do internally," Gallagher said, but the relationship with suppliers, customers and other parts of a sector. "The framework is not about controls. ... our CIOs are drowning in piles of controls to look at. What's unique about the framework from a government perspective is the management approach of how to run a department. It makes cost allocation, skill sets [and] hiring decisions just as much a part of cybersecurity as controls."

Gallagher said that the framework's success or failure will take time to determine, but there are ways to see its impact taking shape.

"I think of the success story as having two elements," he said. "One is near term; that's the adoption. Is this inevitable? We're struggling with the nuts-and-bolts issues ... and it's coming from those organizations actually trying to implement this, so that's a success story. And while the final outcome is something we only learn retrospectively, I hope we see meaningful improvements in what we call security behavior. That can be skill level, capacity of staff, self-awareness -- I think there's a set of security behaviors that are quite measureable."