NIST Cyber Framework for Federal Agencies Coming Soon

The government’s cyber standards agency is nearing completion on a document that will help federal agencies integrate a cybersecurity framework developed for industry with government’s own particular cybersecurity requirements, an official said Wednesday.

Expect the document in the next two months or perhaps sooner, said Matthew Barrett, program manager for the National Institute of Standards and Technology’s Cybersecurity Framework.

The news comes as the Trump administration is considering mandating agencies comply with NIST’s cybersecurity framework as part of its long-delayed executive order on cybersecurity.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The broad goal is to “unify NIST’s risk management documents into a singular approach for federal agencies,” Barrett told reporters on the sidelines of a meeting of NIST’s Information Security and Privacy Advisory Board.

Or, more alliteratively, “framework meets FISMA,” he said, referring to the Federal Information Security Management Act, the main cyber reporting requirement for federal agencies.

The document, known as NIST Interagency Report 8170, has gone through seven internal versions over roughly the last year, Barrett said.

The remaining edits are more about messaging than about content, he said, making sure, for example, feds aren’t confused about what’s mandatory (FISMA) and what’s voluntary (the framework, for now).

If President Trump’s forthcoming executive order makes some portions of the framework mandatory for agencies, NIST will “factor that in as it comes,” Barrett said.  

“What we’re trying to do is we’ll say, ‘Hey, those who want to augment their FISMA-based practice with this cybersecurity framework thing that they’ve been hearing so much about, here’s a path to do so,'” he said.