Re: NIST Cyber Framework
This is a great article. The challenge I see in the adoption of the NIST Cyber framework will be the lack of a reward mechanism to enable small and medium businesses to embrace the framework. Large businesses will do it for good practices.
Case in point, when HIPAA came out back in 2004? it was mandatory for covered entities, which by definition at the time, were the health plans, health care clearinghouses, etc. 'Business associates' of the CEs were encouraged to be comply to the regs but, during that time, were not obligated. What CMS had found later in subsequent years, that the BAs are just as noncompliant as the rest, and the enforcement power to be enabled. Subsequently, the scope was broaden to the BAs and enforcement actions such as financial penalties were taken. In 2013 to date we have seen about $900k per entity in term of penalties for noncompliance.
The point is that, where there is big stick, there will be adoption. Where there is no stick there will be no adoption as adoption costs resources. Voluntary adoption needs incentives such as those enjoyed in health IT where such financial incentives were given to stimulate adoption (physician e-Prescription).
Perhaps NIST will come back to the law makers with financial incentives such as reduced tax break, tax credit (similar to Energy Star for homeowners) for the businesses that can effectively demonstrated their embrace to the framework. And that will open another market to talk about similar to 3PAO of FedRAMP.