Cybersecurity Framework: Filling the Gaps

NIST's Adam Sedgewick on Civil Liberties, Metrics

By , August 13, 2013.
Cybersecurity Framework: Filling the Gaps

As a mid-September deadline looms, pressure mounts on a team of IT security experts to fill in the gaps on the cybersecurity framework, a series of IT security best practices that the operators of nation's critical infrastructure could adopt voluntarily.

The draft of the framework, being jointly developed by industry and government experts under the auspices of the National Institute of Standards and Technology, will be presented at a workshop on Sept. 11 to 13 at the University of Texas at Dallas. The final version of the framework will be issued in February.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

NIST's Adam Sedgewick, who leads the efforts to create the framework ordered by President Obama, says the gaps include civil liberties and privacy standards and practices and helpful cybersecurity metrics.

"There are some unique privacy needs that we'll identify through this process," Sedgewick says in an interview with Information Security Media Group [transcript below].

"We want to have really a robust conversation around those things as we're building this out going forward," he says.

Determining metrics to measure the effectiveness of the framework is another top challenge. "That's a topic that we've taken to the workshops and we'll continue to do," Sedgewick says.

One approach being evaluated is to allow for metrics to be flexible, which is a concept mentioned in the executive order.

In early July, NIST issued a proposed outline of the framework, which was vetted by industry and government participants at a cybersecurity framework workshop held July 10-12 in San Diego [see NIST Unveils Draft of Cybersecurity Framework].

In the interview, Sedgewick:

  • Summarizes the main themes of the draft outline of the cybersecurity framework;
  • Identifies gaps in the framework - privacy and civil liberties standards and practices and helpful cybersecurity metrics - that must be filled by the time its released next February;
  • Explains the ways the private sector is involved in drafting the framework.

As senior IT policy adviser, Sedgewick represents NIST on the Department of Commerce Internet Policy Task Force and advises NIST leaders on cybersecurity. Previously, Sedgewick served as senior adviser to the Federal Chief Information Officer Council, coordinating cross-agency initiatives and assisting in the implementation of Office of Management and Budget policy and directives. For nine years, he served on the staff of the Senate Committee on Homeland Security and Governmental Affairs, handling cybersecurity and federal information technology policy.

Cybersecurity Framework Draft

ERIC CHABROW: Please take a few moments to summarize the main themes of the framework draft.

ADAM SEDGEWICK: We posted what we call the draft outline of the preliminary cybersecurity framework. What we're presenting out is very high level with a lot of gaps identified, and our work going forward is really to start filling in a lot of those gaps with our partners in industry and through the workshops that we're having throughout the country.

The basic approach that we've taken throughout this process is to have this sort of collaborative approach, similar to what NIST has done in a lot of other projects. We ask questions out. We get information in. We do some technical analysis. Then we present it back out to say, "Does this reflect where we are, where the critical infrastructure sectors are, and are we building something that can be used throughout industry?"

Going back to the president's executive order in February, at that point we released a request for information. Then we had some questions in a couple of key different areas. We asked: How do organizations think about cybersecurity risk? What are the standards, guidelines and methodologies they use to support that, the existing standards? Then we ask some tactical questions on particular things that we thought might apply to industries of all sizes and sectors. We put that out to see what we would get. We did some meeting with stakeholders among the sectors, and we got back 245 comments.

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Anthem Breach Tally: 78.8 Million Affected

Anthem Inc. now confirms that the health insurer's recent data breach compromised a database...

Latest Tweets and Mentions

ARTICLE Anthem Breach Tally: 78.8 Million Affected

Anthem Inc. now confirms that the health insurer's recent data breach compromised a database...

The ISMG Network