What's Next for Cybersecurity Framework?

The National Institute of Standards and Technology is soliciting comments from stakeholders on whether its cybersecurity framework - a set of standards, guidelines and best practices issued in February 2014 - is helping organizations secure their information systems.

The deadline to submit comments is Feb. 9, and the responses to the request for information could result in NIST revising the framework.

"A lot of folks out in industry have been calling this version 2.0," Adam Sedgewick, the federal government's point man on the framework, says in an interview with Information Security Media Group. "We actually don't call it version 2.0 because, at this point, we're not even aware if an update is necessary. If there was an update, there might not even be a version 2.0; it could be version 1.1 or 1.5."

In the interview (see audio link below photo), Sedgewick discusses:

Transitioning the managing of the framework to the private sector from NIST, which sees its role as the convener and facilitator; Growing acceptance of the framework by industry; and Steps industry groups and government agencies have taken to provide guidance in implementing the framework.

The genesis of the framework dates to February 2013, when President Obama, in an executive order, directed NIST to work with industry and government agencies to develop a voluntary framework for reducing cyber risks to critical infrastructure (see Obama Issues Cybersecurity Executive Order). Although aimed at critical infrastructure organizations, the framework has proven popular with non-critical businesses as well.

In its request for information, NIST seeks information on:

Ways in which the framework is being used to improve risk management; How best practices for using the framework are being shared; The relative value of different parts of the framework, The possible need for an update of the framework; and Options for long-term governance of the framework.

In an interview with ISMG earlier this year, Sedgewick addressed critics who say the framework is too simple to be effective and fails to address the costs to implement it (see The Evolving Cybersecurity Framework).

Sedgewick is the senior IT adviser at NIST's Information Technology Laboratory and represents NIST on the Department of Commerce Internet Policy Task Force. He also advises NIST leaders on cybersecurity. Previously, Sedgewick served as senior adviser to the Federal Chief Information Officer Council, coordinating cross-agency initiatives and assisting in the implementation of Office of Management and Budget policy and directives. For nine years, he served on the staff of the Senate Committee on Homeland Security and Governmental Affairs, handling cybersecurity and federal information technology policy.