About a month after releasing cybersecurity standards aimed to hold companies accountable to more than just an antivirus suite and crossed fingers, the National Institute of Standards and Technology (NIST) held its fifth and final stakeholder workshop to help develop a voluntary framework for reducing cyber risks to critical infrastructure.
Since February 2013, NIST has sought feedback from hundreds of cybersecurity specialists, attorneys, policymakers and government employees on what lies ahead in applying and updating it. The preliminary framework outlines a set of steps that can be customized to various sectors and adapted by both large and small organizations while providing a consistent approach to cybersecurity.
While many in attendance at the Raleigh, N.C. workshop spoke positively of the initial framework, other experts cited a number of perceived problems they see surrounding its usefulness, applicability and scope as the agency nears its February 2014 deadline.
One common example of the concerns voiced by attendees is what exactly it means to adopt the framework.
“It’s just not clear what it means to adopt the framework,” Larry Clinton, president of the Internet Security Alliance (ISA) said, according to a CIO report. “Uncertainty leads to underinvestment. They [critical infrastructure asset owners] will not know whenever an investment will qualify as an investment to the framework.”
The agency’s efforts to improve cybersecurity began in earnest following the mandate under President Obama’s February 2012 executive order.
Last month, NIST released its preliminary plan, which is intended to act as the basis for improved control over IT infrastructure for companies in all sectors. While not mandatory, the list will be a repository for best practices and will rely on active engagement from those in the tech community to test its validity.
The framework will be a “living document” that allows for continuous improvement as technologies and threats evolve, according to Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher.
“Industry now has the opportunity to create a more secure world by taking ownership of the framework and including cyber risks in overall risk management strategies,” he said in a statement.
On Oct. 29, NIST announced a 45-day public comment period on the preliminary framework. Comments are due no later than 5 p.m. ET on Dec. 13. Comments should be submitted to NIST using the comment template form on its website.
For related stories on cybersecurity, check out InsideCounsel’s coverage below: