Debating the Merits of Beta Testing NIST’s ‘Final’ Guide
he creators of the cybersecurity framework will soon begin writing the final version of the guide to information security best practices aimed at helping the operators of the nation’s critical infrastructure secure their information assets (see: Obama, CEOs Meet on Cybersecurity Framework).
But calling it a “final version” is misleading. True, the IT security experts at the National Institute of Standards and Technology, who are shepherding the drafting of the cybersecurity framework, expect to make the Feb. 13 deadline imposed by President Obama. But Adam Sedgewick, the NIST official overseeing the cybersecurity framework, characterizes it as a living document that will be revised over the years as new cyberthreats appear and new ways to mitigate those threats emerge.
The framework will consist of standards, guidelines and best practices aimed to help owners and operators of critical infrastructure manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties. Adoption of the framework will be voluntary.
Seeking More Industry Feedback
Since Obama directed NIST last February to create the cybersecurity framework, it has held five workshops where it solicited advice from stakeholders on what should be incorporated in the document. Since then, Sedgewick, NIST’s senior information technology policy adviser, has hit the road, attending meetings and conferences seeking more ideas from those outside of government.
Stakeholders have until Dec. 13 to submit their suggestions to NIST at firstname.lastname@example.org.
Sedgewick says NIST should begin to reduce its involvement in the evolution of the framework after mid-February by helping to create a governance structure in which the private sector, not the federal government, takes the lead for future revisions.
Beta Test Needed?
But there’s another reason why the February document won’t be the final version, according to Larry Clinton, president of the trade group Internet Security Alliance. He argues that the cybersecurity framework should be beta tested before the Obama administration approves it.