Update on the NIST Cybersecurity Framework

  • July 10, 2015
  • News

July 10, 2015 - Since its release in February2014, NIST has been educating different sectors about the Framework's use and value. The results of that effort can be seen in the variety of organizations employing the Framework, ranging from multinationals to small businesses. As NIST Director Willie E. May explained to corporate directors and senior executives at a recent National Association of Corporate Directors event, "We see companies like Intel, Chevron, Walgreens, Pepco, Apple, QVC, and the Bank of America talking about how they are using the Framework or planning to incorporate it. But we also see 50-person firms, like Silver Star Communications in rural Wyoming, describing how the Framework has helped them to be more thoughtful and wiser managers of their cyber risks."

Industry Understanding and Use

The proposed value of the Framework has been validated through a large volume and breadth of interactions between NIST and industry. One of the most frequently cited benefits of the Framework is a common cyber risk management language, so that more efficient and precise discussions can be held up, down, and across a company's management structure, with auditors, and with supply chain partners. The Framework is now being used as a basis for security-oriented discussions and decision-making in corporate boardrooms, the C-Suite, and among line managers and staff with cyber responsibilities.

Framework usage and value were further validated at the annual April 2015 RSA conference in San Francisco, where the Framework was perhaps one of the most discussed topics. In his keynote, Federal Communications Commission Chairman, the Honorable Tom Wheeler, highlighted the importance of the Framework in supporting the "New Paradigm" of Business-Driven CyberDefense. Chairman Wheeler's address also referenced the March release of the FCC Communications, Security, Reliability and Interoperability Council's (CSRIC) Cybersecurity Risk Management and Best Practices Working Group 4: Final Report, which evaluates the merits of the Framework for the telecommunications sector and details recommended adaptation of the Framework to telecommunications subsectors.

Also at the conference, RSA's Michael Brown (retired Rear Admiral)moderated a panel on Using the Cybersecurity Framework, in which Steve Whitlock of Boeing and Tim Casey of Intel outlined their respective companies' use and future plans for the Framework. (Tim also expounded on Intel usage at a separate Intel-specific session.) In that same panel, NIST's Donna Dodson and FCC's David Simpson(retired Rear Admiral) highlighted the continued need for the Framework to be avoluntary tool for making decisions about risk.

As revealed in the RSA presentation Risk-Ops at Scale - Framework Operationalization to Address Business Risk, the State of Texas has aligned the Framework Functions to its agency security plan. Texas has developed a statewide framework that covers cybersecurity best practices and is mapped to the Framework subcategories. To mitigate supplier risk, the state also uses a vendor alignment template that is rooted in the Framework core.

Continued Outreach

From the onset of Framework development, many companies expressed concern about the growing diversity of cybersecurity requirements around the globe. Because the Framework could standardize vocabulary and organize cybersecurity requirements across multiple nations, NIST continues to reach out to other governments and major multinational corporations. A previous Status Update from our team reported that United Kingdom and European Commission representatives have spoken favorably about the Framework and about how our approaches could be aligned with theirs. Since then, NIST has met with officials from more than 20 additional nations, encouraging them to consider the Framework's approach in order to get closer global alignment. Many of those nations are considering the Framework. As recently as May of this year, U.S. Deputy Secretary of Commerce Bruce Andrews led a delegation of 20 American companies on a Cybersecurity Trade Mission to Bucharest, Romania, and Warsaw, Poland. Deputy Secretary Andrews was accompanied by NIST Computer Security Division Chief, Matt Scholl, who addressed a variety of cyber topics including the Framework.

NIST has increased outreach on regulatory alignment in the past six months, particularly in the financial and telecommunications sectors. This included participating in an advisory role to the aforementioned CSRIC Working Group 4. NIST is also an advisory member of the Cybersecurity Forum for Independent and Executive Branch Regulators. The forum was chartered to increase the overall effectiveness and consistency of regulatory authorities' cybersecurity efforts pertaining to U.S. Critical Infrastructure. In all of these interactions, NIST continues to communicate the merits of the Framework as an organizational and communication tool to better manage cybersecurity risk. In the upcoming months, NIST will continue our international and regulatory dialog.

While small and medium businesses (SMB) are well-represented in many of the venues in which we participate, NIST is seeking SMB-specific interactions so we can better understand their needs, challenges, and adoption. Additionally, NIST has begun a campaign to clarify and highlight how the FISMA suite of guidelines and standards (e.g., FIPS-199, SP 800-37rev1, SP 800-53rev4) can be used in concert with the Framework. This effort will bring together federal organizations and other users of FISMA guidance at meetings and other events, and will culminate in a NIST publication.


Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..