One of the most important cybersecurity initiatives of the entire Obama administration may change over the next couple of years, but not by much — and for officials at the National Institute of Standards and Technology, that’s a good thing.
NIST convened over a thousand people at its Gaithersburg, Maryland campus this week for a workshop to discuss proposed changes and updates to its Cybersecurity Framework — as more and more companies and other organizations adopt it as a guide to getting their own cybersecurity right.
The standards agency put on an RFI last December to learn how organizations are sharing framework best practices, what parts of the framework are utilized more than others and what sections need to be updated.
“Based on the responses and discussions[ around the RFI], there are opportunities to make small changes, clarifications, and maybe to expand some areas where it could be appropriate …. versus a framework 2.0,” or a complete overhaul, NIST Chief Cybersecurity Adviser Donna Dodson told FedScoop.
Dodson and other officials said Wednesday the diversity of the 105 organizations that responded surprised them, given that the framework was originally geared toward protecting critical infrastructure. Submitted comments ranged from aerospace company Boeing to telecom giant AT&T, to trade groups like CompTIA and NASCIO.
“The diversity really blew us away,” said Michael Barrett, the program manager for the framework.
Even with the wide range of organizations that offered suggestions, Dodson said the main goal of gathering feedback was to make sure the best practices detailed in the framework can be applied across a wide range of organizations.
“Best practices are critical to the goal we are all working toward to achieve to achieve stronger cybersecurity across the nation,” Dodson said. “I think that’s a really important topic and one that we as a community we need to continue and discuss and think about.”
The disparate ways the country is using the framework was on display Wednesday, as a panel featuring the U.S. Coast Guard, the American Petroleum Institute and various energy companies talked about how they have used the NIST framework as a catalyst for their work protecting the industrial control systems on tanker ships.
Stakeholders have been working to create a system that manages the cybersecurity risk related to bulk fuel tankers, with the U.S. Coast Guard facilitating discussion due to their responsibility for protecting critical maritime infrastructure.
“Everybody has a good understanding of what the risks are associated with physical security. We’ve done a very good job of mitigating this risk. With cybersecurity, there isn’t as much of an understanding,” said Verne Gifford, Director of Inspections and Compliance for the U.S. Coast Guard. “A lot of times, those things aren’t handled at a corporate level. It’s at a much lower level. We are addressing risk and assessing what vulnerabilities are out there and making a plan on how to mitigate them.”
NIST’s Don Tobin said projects like this show how the framework is closing the gap between tech-minded people and the c-suite.
“A lot of the time in the IT/infosec community, we forget that we are there to support some kind of mission, whether it’s on the side of generating profits or to protect the systems,” Tobin said. There’s usually a disconnect between the IT side and the mission side on what we are trying to do.”
Closing that disconnect goes along with what NIST was trying to accomplish in the latest RFI. Despite some comments calling for NIST to hand over framework management to a third-party or rework the document altogether, Dodson said NIST doesn’t expect big changes in coming months.
“I think based on the RFI responses and conversations we’ve heard, we haven’t seen anything that leads us to believe an overhaul is needed or required,” she said.
More than handing over control, NIST wants to continue pushing the changes that will continue to make the framework effective in protecting the country’s digital assets.
“We do not envision saying ‘Okay, we have this workshop and now we are finished with the framework,’” Dodson said. “How do we continue working with industry and making sure that the purpose of the framework is critical infrastructure, but stay very excited to see it work for other business sectors. That’s a great thing. How do we make sure that industry leadership in its development and use continues and evolves over time?”