Why Businesses Can’t Ignore US Cybersecurity Framework

Industry leaders and President Obama call the framework just a first step in creating a cybersecurity playbook for 16 US critical infrastructure sectors. But this is more than just a reference manual.

Wyatt Kash, former Editor, InformationWeek Government

February 14, 2014

2 Min Read
Illustration of core functions and activities to support cybersecurity from <a href="http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf">NIST Framework for Improving Critical Infrastructure Cybersecurity 1.0</a>

Cauley also maintains that NIST and the Department of Homeland Security, which plays a lead role in coordinating national cybersecurity efforts, must do more to clarify incentives for following the framework, and how organizations can benefit from them, before companies will invest in them.

Russell Schrader, senior associate general council for Visa, voiced support for NIST's efforts to centralize best-practices, but cautioned NIST "to avoid centralizing implementation of security measures across a diverse economy." Schrader warned of "unintended consequences that inhibit innovation," particularly for global companies. "The ability to globally scale an effort like cybersecurity [makes it] important to avoid confusing, duplicative, or contradictory standards," he said.

Even Defense Department experts, in pre-release comments about the framework, observed that it "does not address the cybersecurity challenges of industries or sectors as a whole." The DoD recommends that NIST encourage "threat sharing" across sectors and greater attention to privacy concerns.

Though not highlighted in the final version of the framework, the preliminary draft acknowledged a number of other issues, including the need for better authentication practices, guidance on sharing threat alerts automatically, and establishing assessment activities that affirm practices conform with industry standards. Meeting the demand for workers skilled in cybersecurity and big data analytics remains another concern.

Questions also remain on how to align US and global cybersecurity practices and divergent privacy standards and manage the risks inherent in today's global, just-in-time supply chains. NIST left these issues out of its final release, characterizing them as "important but evolving areas."

White House officials said the framework would continue to evolve. They also envision it will eventually be turned over to industry, or an industry-led not-for-profit group, to administer.

"The administration was very clear that they are not looking to expand regulations," one senior official said, "but instead want to align the regulatory structure to support the adoption of the framework."

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

About the Author(s)

Wyatt Kash

former Editor, InformationWeek Government

Wyatt Kash is a former Editor of InformationWeek Government, and currently VP for Content Strategy at ScoopMedia. He has covered government IT and technology trends since 2004, as Editor-in-Chief of Government Computer News and Defense Systems (owned by The Washington Post Co. and subsequently 1105 Media). He also was part of a startup venture at AOL, where he helped launch AOL Government. His editorial teams have earned numerous national journalism awards. He is the 2011 recipient of the G.D. Crain Award, bestowed annually on one individual nationally for outstanding career contributions to editorial excellence in American business media.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights