A small federal agency in Gaithersburg, Md., has updated the seminal document underpinning how the government and industry should collaborate on cybersecurity — a key piece of President Trump’s strategy for securing federal networks.
This first-time revision to the 2014 framework of cybersecurity standards, a guide to cybersecurity risk management and for organizing cyber planning and strategy, was released on April 16. The National Institute of Standards and Technology has been making the rounds to familiarize industry and government audiences with the changes to the well-regarded document.
Changes include the addition of a section on self-assessment of cybersecurity risks for organizations; an expanded explanation of how to use the framework for cyber supply-chain risk management purposes; and new language on issues such as authenticating identities online.
But the real significance of the update is that it reflects continued buy-in by industry, more than four years after the framework’s original release, that this is the premier tool for organizing cybersecurity efforts in a way that satisfies the government but is much more flexible than regulations.
“Business leaders and policymakers view the Framework as a pillar for managing enterprise cyber risks and threats, including at home and increasingly abroad,” the U.S. Chamber of Commerce’s Matthew Eggers said in a blog post.
“NIST officials continue to do an admirable job convening many organizations to make the Framework a practical, living document.”
He added, “Companies are enthusiastic about the Framework, in part, because it is neither biased toward any country’s laws nor bound by outdated and inflexible rules and procedures.”
This is “the era of applying the framework,” Matthew Barrett, NIST’s program manager for the structure, said in an interview. Earlier periods in the life of the framework included more basic objectives, like telling people that the document existed and familiarizing companies with its tools and resources.
In essence, the framework offers a way for organizations to think about cybersecurity and build it into their individual cultures. It provides a system for entities to assess their cybersecurity posture and vulnerabilities, to set goals for improvement and to select the appropriate security tools and services.
An Obama executive order in 2013 called on NIST to create the voluntary document after legislative efforts to mandate cybersecurity improvements by the private sector crashed and burned the previous year.
Now, with Trump ordering every federal agency to apply the framework, and with cyberattacks on the private sector becoming increasingly costly, the document is a key front-line tool for all types organizations and an important alternative to mandatory cyber regulations for the private sector.
“The NIST framework moves the discussion away from fear, uncertainty and doubt, and into science and objective reasoning,” said Vikram Phatak, CEO of the Austin-based NSS Labs, which assesses the effectiveness of cybersecurity products. He added, that “the framework helps companies “understand where the security gaps are and then they can decide on mitigation techniques.”
However, he said, the framework can be “misused in a regulatory context, it can’t be a checklist.”
Regulatory mandates to use the framework remain rare in the private sector, and Trump’s order strictly requires use within the federal government bureaucracy. But a former high-ranking Pentagon official testified on the Hill just last week that Congress should require its use by operators of critical infrastructure.
“Congress can do more to incentivize the private sector to act. In particular, Congress should … mandate that critical infrastructure providers adopt the NIST Cybersecurity Framework,” said Harvard University researcher and former Department of Defense official Eric Rosenbach.
NIST’s Barrett said the latest iteration shows the framework is evolving in the right direction, and is voluntary and adaptable to each entity’s unique circumstances.
“We’ve never been closer to having a singular structure for alignment” of the tools and principles contained in the cyber framework with how organizations of various types are designing their cyber efforts, Barrett said.
Barrett claimed that a packed house attended his recent presentation on “framework version 1.1” at the annual RSA Security conference in San Francisco, in what was the agency’s first chance to publicly discuss the update. And over 1,000 people logged on for a NIST webinar on the framework last week.
Next steps include discussions on complex, often controversial, topics such as measuring uses and effectiveness.
The framework is highly popular with many industry groups. not least of all for its voluntary approach to cyber improvements. But critics have said it doesn’t include a process for measuring effectiveness. A company can say it’s “using” the framework, but is its cybersecurity actually getting better?
Measurement language was included last year in the first draft of version 1.1, Barrett noted, but was subsequently taken out for further discussion. That discussion, he said, will address “measuring the effectiveness of cybersecurity on business outcomes and aligning metrics with organizational objectives.”
Then, Barrett said, “we can discuss tougher questions like cost-effectiveness and return on investment.”
In version 1.1, Barrett explained, NIST wanted to “affirm” the framework’s value in “expressing compliance with one’s own cybersecurity plans,” but also to recognize industry concerns about its language on compliance possibly being used in a regulatory context.
“We came back quickly [in the 1.1 document] and said it’s about industry’s internal use of the framework,” Barrett said. “Of course, regulators are a part of our stakeholder group, but we acknowledge that ‘compliance’ is a confusing term.”
Now, Barrett said, “we’re going to double down on how to apply the framework.”
This spring, Barrett said, he expects NIST to finalize the guidance to federal agencies on implementing the framework as required under Trump’s 2017 cybersecurity executive order. This will be a “conceptual piece … meant to help agency heads,” he said.
“We’ll continue outreach and education, but pivot more to online resources,” Barrett said, pointing to features being offered on NIST’s framework homepage such as “success stories,” which are “vignettes of successes other parties are having” with the framework.
NIST is also working with other agencies on “applying the framework,” including work with the National Highway Traffic Safety Administration on a cybersecurity “profile” for autonomous vehicles, Barrett said.
