NIST Cybersecurity Framework Getting a Facelift, Looking to Make Adoption Easier

Posted on by Tony Kontzer

One of the biggest obstacles to securing the nation's critical infrastructure components, as well as to securing enterprise environments, is poor coordination.

Whether it's the lack of a common vocabulary, a lack of agreement about best practices and recommended methodologies, or simply seeing security through different lenses, it's clear that without a common playbook from which to collaborate, the public and private sectors both struggle to work create truly effective security strategies.

It's against that backdrop that the National Institute of Standards and Technology is preparing to release an updated version of its Cybersecurity Framework, with an eye on making the framework easier to understand and adopt. NIST is currently reviewing public comments on the draft update (the comment period ended in January), and is expecting to release the new framework later this year.

The Cybersecurity Framework, which was first mandated by the Cybersecurity Enhancement Act of 2014, was born from an executive order issued by Barack Obama in 2013. Originally conceived as a way to get private sector entities charged with protecting critical infrastructure components such as roads, bridges and the power grid on the same page, the Cybersecurity Framework has subsequently been adopted by industries and organizations of all types and sizes.

In the original draft update announcement last January, Matt Barrett, NIST's program manager for the Cybersecurity Framework, put the new version in context.

“We wrote this update to refine and enhance the original document and to make it easier to use,” said Barrett. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.” 

Despite its voluntary nature, the widespread support for the framework, as well as recognition that it's had an impact, was clear from the comments of security leaders quoted in the draft announcement.

Richard Tracy, CSO of Telos Corp., lauded the framework's success in creating common ground, saying that "it helps us to communicate risk in ways everyone can understand, from the server room to the board room."

Matthew Eggers, executive director of cybersecurity policy for the U.S. Chamber of Commerce, agreed with that sentiment.

"Whether you're CEO or you just walked into a company for the first time it's an employee, it's something you can feasibly grasp," said Eggers.

And perhaps the strongest endorsement of the framework's effectiveness thus far came from Greg Rattray, managing director at JP Morgan Chase: "It's really the most comprehensive view of the whole set of things we need to do." 

In fact, the Cybersecurity Framework has been so well-received that it's on its way to becoming a must-have on the competitive landscape.

"Considering how widely the framework is used these days, smart organizations will want to consider the distinct possibility that someday their security practices will be assessed against it," Laurence Pitt, strategic director of security for Juniper Networks' EMEA region, wrote in a recent piece for Dark Reading previewing the update framework.

Enthusiasm aside, the framework can only reach its potential if it's adopted across the board. And while all signs are it's headed that way, it seems as if the pending update is very much needed.

A recent Government Accountability Office report found that "most of the 16 critical infrastructure sectors took action to facilitate adoption" of the framework, but it also identified some challenges to adoption resulting from factors such as limited resources and skills, regulatory requirements, and other pesky priorities that have to come first. 

In other words, despite all the momentum, there's still work to be done before the framework starts to have the hoped-for breadth of impact it's capable of delivering. So long as organizations have to justify investing resources in other areas perceived to be higher priorities, the framework's impact will be limited.

However, if the pending update is successful in making the framework easier to understand and adopt, it can only help to widen its influence. And at a time when cyber attacks are growing in volume and complexity, security leaders can use all the help they can get.

Tony Kontzer

, RSA Conference

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs