By Amber Corrin
The National Institute of Standards and Technology’s draft cybersecurity framework is a stepping stone toward an October deadline for a preliminary plan — and ultimately to a “final” document due in February 2014 under President Barack Obama’s cyber executive order.
To get there, NIST continues to depend on industry and the public’s involvement in creating comprehensive guidelines that are adoptable and effective. The new draft, released Aug. 28, comes just weeks ahead of NIST’s fourth workshop, to be held in Dallas Sept. 11-13.
It is a pattern NIST has come to rely on in the creation of the cyber framework, said Adam Sedgewick, NIST senior IT policy advisor. The agency releases information asking for feedback, presents the feedback at a public workshop to launch discussion of key issues, then posts online the information from the workshop discussions that help inform the next iteration of a draft framework.
“We’ve structured the whole 240 days [given in the executive order to issue the October draft] to try to maximize the amount of public engagement and feedback we could get,” Sedgewick said. “Given the time constraints, we’ve used a combination of public workshops and engagements. We have people engage through our cyber framework website, and at the tail end we’ll have another public comment period.”
Through the process, NIST officials have been able to present the most comprehensive draft framework yet — one that fleshes out the core of the guidance and proposed metrics for assessing an organization’s cybersecurity standings, for example. The Aug. 28 version builds on a more skeletal iteration from July, and the forthcoming versions will continue that pattern of building on each other using feedback from stakeholders.