NIST Plans Cybersecurity Framework Update
Winter 2017 Revision Would Refine, Clarify ProvisionsThe National Institute of Standards and Technology plans to update its 2-year-old cybersecurity framework late next year, says Matt Barrett, program manager.
In part one of a two-part interview, with Information Security Media Group, Barrett characterizes the revision as a minor update, not a major overhaul, but one that refines and clarifies provisions in the existing framework. "Just to be clear, we're not headed toward a version 2.0 right now; we're definitely not," Barrett says. "We're headed to something that's more like a 1.1."
In the interview (click player beneath image to listen), Barrett also:
- Describes the type of revisions that might be incorporated in the updated framework;
- Addresses criticisms that NIST hasn't tested the framework to determine its value to organizations, especially small businesses; and
- Explains why NIST may continue to oversee the cybersecurity framework despite an initial plan that a private-sector-controlled organization take over governance.
In part two of this interview, which will be available soon, Barrett discusses how the cybersecurity framework helps facilitate communication among technical and nontechnical managers and executives who must collaborate to keep their enterprises' information systems secure.
Responding to an executive order, issued by President Obama in February 2013, NIST a year later published the cybersecurity framework, based on existing standards, guidelines and practices. The tool, use of which is voluntary, is designed to help reduce cyber risks to the information systems of critical infrastructure providers.
Before returning to NIST in October 2014 as the framework's program manager, Barrett served as president of G2 Inc., a cyber and intelligence solutions firm. From January 2007 to July 2009, Barrett was NIST program manager for the security content automation protocol, commonly known as SCAP.