The government is leaning on private industry to help develop voluntary cybersecurity standards that are flexible, cost-effective and actually useable, representatives from the Commerce Department’s National Institute of Standards and Technology said Wednesday at a public workshop in San Diego.
NIST is 92 days from a deadline to publish a draft of a new framework intended to secure utilities, airports, financial systems and other critical U.S. infrastructure from cyber threats. This week’s workshop — the third so far — gives industry a chance to drive development and air concerns over cost and flexibility.
“One of the invariants in developing a framework of this kind is there is always a plea on the part of the community to say, ‘Please, don’t let this be shelf-ware,’ ” Charles H. Romine, director of NIST’s Information Technology Laboratory, said to open the workshop at the University of California San Diego.
NIST hopes to avoid something that looks good on paper but isn’t practical for companies to use.
One goal is to craft guidelines that make sense to senior corporate leadership — those who make risk decisions — but are specific enough for front-line employees that operate critical systems.
Last year, Congress failed to pass legislation to require companies to better secure their systems and networks, even as hacker intrusions from China and elsewhere have been identified as a major threat to economic and national security.
In response, a February cybersecurity Executive Order tasked NIST with building the cybersecurity framework, which will be implemented in collaboration with the Department of Homeland Security.
Compliance with NIST’s framework is voluntary and the institute’s leadership said they hope industry input will lead to best practices and standards that are cost-effective and useful across numerous sectors.
And though NIST is developing the framework, many of the decisions on how it will actually used will be left up to each company.
“You understand the resources and the different constraints much better than we do for your operating environment,” said Kevin Stine, manager of the Security Outreach Group in NIST’s Computer Security Division.
In preparation for the workshop, NIST published a draft outline of its framework online last week.
In that document, NIST says the framework will include a section on how senior leadership can apply its principals to manage cybersecurity risks in context of broader risks and business goals.
The framework takes a risk-management approach broken into the following five cybersecurity functions: Know, Prevent, Detect, Respond, Recover. Each category is broken into smaller subcategories to help the company better assess its preparedness across the organization for cyber threats.
This week’s workshop is set to include discussions between representatives from industry, government and academia on the details of what the draft framework should look like. Sessions will focus on privacy, executive management, small business issues and training, among other topics.
After 148 days of working on the framework, NIST said it is seeking comprehensive input to develop an end result that is flexible enough to be used by businesses of varying size across numerous sectors.
“We are developing this framework in a way that can be broadly applicable to diverse organizations…to the small utility, ranging up to the large multinational corporation,” said Adam Sedgewick, senior information policy advisor at NIST’s Information Technology Laboratory.
Following the publication of a draft in October, a final version of the framework is expected to be published in February. The workshop adjourns Friday.