NIST Tailors Framework for Federal AgenciesStakeholders Asked to Furnish Ideas on How Government Should Use Framework
The National Institute of Standards and Technology has issued draft guidance on how federal agencies can implement the NIST Framework for Improving Critical Infrastructure for Cybersecurity.
The Obama administration in 2014 issued the cybersecurity framework that describes the processes critical infrastructure operators can employ to assess and improve their ability to prevent, detect and respond to cyberattacks.
NIST began developing its new draft guidance, Interagency Report 8170, on how federal agencies can use the framework before President Donald Trump signed a cybersecurity executive order last week directing federal agencies to adopt the framework (see Trump Finally Signs Cybersecurity Executive Order).
"It is something that we have asked the private sector to implement, and not forced upon ourselves," Assistant to the President Tom Bossert said in announcing the executive order. "From this point forward, departments and agencies shall practice what we preach and implement that same NIST framework for risk management and risk reduction."
How Useful Is the Framework?
The NIST draft says federal agencies can use the cybersecurity framework to complement the existing suite of NIST security and privacy risk management standards, guidelines and practices developed in response to the Federal Information Security Management Act.
Curt Kwak, former CIO of the Washington State health insurance exchange under the Affordable Care Act, says he sees implementing the executive order as a way government agencies can handle cybersecurity more consistently. "Having a single framework as a baseline is always a good thing, especially when you are talking about a mandate of aligning with NIST," says Kwak, now CIO at Proliance Surgeons, a large surgery practice.
Yet not all experts see the framework as an effective process to secure an organization's digital assets.
"Attempting to implement it is enormously difficult and costly," says Steven Chabinsky, a former deputy assistant director of the FBI cyber division and member of the nonpartisan White House Commission on Enhancing National Cybersecurity. "This is not because the NIST framework is poorly crafted, quite the opposite. ... [But] unfortunately, we lack sufficient metrics to determine whether and to what extend the NIST cybersecurity framework [is] cost-effective ... in the face of today's evolving threats. If vulnerability mitigation was inexpensive and easy to implement, one might [want] to have everyone do it under the theory that I couldn't hurt; but that's not the case."
Eight Case Studies
The draft guidance provides eight government use cases that describe how agencies can employ the framework. They include:
- Integrate enterprise and cybersecurity risk management;
- Manage cybersecurity requirements;
- Integrate and align cybersecurity and acquisition processes;
- Evaluate organizational cybersecurity;
- Manage the cybersecurity program;
- Maintain a comprehensive understanding of cybersecurity risk:
- Report cybersecurity risks; and
- Inform the tailoring process.
NIST is seeking comments on the new draft as well as suggestions on ways agencies can use the guidance, especially the potential opportunities and challenges. Comments should be sent by June 30 to mailto:firstname.lastname@example.org.