The National Institute of Standards and Technology is launching a new initiative designed to energize industry-led efforts on cybersecurity amid concerns that federal and state regulators are increasingly eager to put their stamp on the issue.
NIST, the highly esteemed agency headquartered in Gaithersburg, Md., is releasing a “request for information” about next steps for its framework of cybersecurity standards. It would be a voluntary, industry-driven tool that has been at the heart of the Obama administration’s cyberstrategy since Congress failed to advance a more regulatory approach in 2012.
The agency wants industry to provide “use cases” that can offer a road map for other companies to employ the framework, as well as insight on what is and isn’t working as businesses try adapting the framework to real-world conditions.
NIST wants to know where to go next and how to ensure the framework is a vital, living document that can help entities of all sizes improve their cyberposture.
That goal is broadly supported in the private sector.
The problem, according to industry sources, is that the administration failed to create a support system to help the framework prosper.
In the meantime, bureaucrats have “hijacked” the framework and are moving to fill a perceived policy gap with regulations, according to Internet Security Alliance president Larry Clinton.
“The notion of NIST working with the private sector to push the framework is the right approach,” Clinton recently told InsideCybersecurity.com. “But critical elements of implementing the voluntary approach have never been fulfilled. We have the engine for a voluntary approach but we’ve never seen the fuel.”
For one thing, Clinton said, the Obama administration hasn’t provided incentives for industry to invest in cybersecurity, as called for in 2013 under President Obama’s Executive Order 13636.
“Other than the [NIST] framework, the executive order has been largely abandoned,” Clinton said. “As a result, regulators at the state and federal level haven’t embraced it, and worse, they’ve mutated the framework into a regulatory model. Multiple agencies are allegedly using the framework — but they’re not using it as it was articulated in the executive order.”
Industry sources said the financial-services sector, defense contractors, electric companies, the automotive industry and even the maritime sector, among others, face overlapping and conflicting federal and state regulations.
Top that off with interagency “turf wars” among regulatory bodies eager “to get their fingers on the hot topic of cyber,” Clinton said, and the private sector is left confronting the very regulatory environment that the framework process was meant to avoid.
Clinton expressed hope that the upcoming request for information will create a forum for engaging on these issues.
“The framework can succeed but we need a second act: implementation consistent with the vision of the executive order,” he said.
Officials from NIST and the White House met last week with representatives from 27 major trade associations to discuss next steps for the framework. The meeting that turned into a venting session for frustrated business-sector participants.
“We like the framework and NIST has done a great job, and we want to help make the transition from this administration to the next,” one industry source said. “But we need some help. There is a feeling that things are tilting toward the regulatory side.”
Another source said the White House is still in a “non-regulatory mode,” after championing the voluntary approach for the past couple of years.
Industry wants that message drilled down at the various agencies that set the rules on a daily basis.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
