Cauley also maintains that NIST and the Department of Homeland Security, which plays a lead role in coordinating national cybersecurity efforts, must do more to clarify incentives for following the framework, and how organizations can benefit from them, before companies will invest in them.
Russell Schrader, senior associate general council for Visa, voiced support for NIST's efforts to centralize best-practices, but cautioned NIST "to avoid centralizing implementation of security measures across a diverse economy." Schrader warned of "unintended consequences that inhibit innovation," particularly for global companies. "The ability to globally scale an effort like cybersecurity [makes it] important to avoid confusing, duplicative, or contradictory standards," he said.
Even Defense Department experts, in pre-release comments about the framework, observed that it "does not address the cybersecurity challenges of industries or sectors as a whole." The DoD recommends that NIST encourage "threat sharing" across sectors and greater attention to privacy concerns.
Though not highlighted in the final version of the framework, the preliminary draft acknowledged a number of other issues, including the need for better authentication practices, guidance on sharing threat alerts automatically, and establishing assessment activities that affirm practices conform with industry standards. Meeting the demand for workers skilled in cybersecurity and big data analytics remains another concern.
Questions also remain on how to align US and global cybersecurity practices and divergent privacy standards and manage the risks inherent in today's global, just-in-time supply chains. NIST left these issues out of its final release, characterizing them as "important but evolving areas."
White House officials said the framework would continue to evolve. They also envision it will eventually be turned over to industry, or an industry-led not-for-profit group, to administer.
"The administration was very clear that they are not looking to expand regulations," one senior official said, "but instead want to align the regulatory structure to support the adoption of the framework."
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.