Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

NIST framework released to widespread praise, but what happens next?

Cynthia Brumfield | Feb. 17, 2014
Following a solid year of intensive work, the National Institute of Standards and Technology (NIST) released yesterday its "final" framework for improving critical infrastructure cybersecurity as mandated under a February 2013 executive order by President Obama. The 41-page document closely tracks, with some notable changes, the preliminary framework released by NIST in November.

Another concern is that the framework fails to prioritize cybersecurity spending. "Where do I spend my next marginal dollar?" Larry Clinton, head of the Internet Security Alliance asked. "The framework doesn't tell them. I think in two years we're not going to see a substantial reduction in anything."

One group, Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), is worried that the framework misses a very important first cybersecurity step: situational awareness. "The framework is largely a reflection of existing standards and practices and situational awareness is not as completely spelled out as it should be in the long run," Chris Blask, Chair of the ICS-ISAC said.

These and other concerns will continue to be aired under NIST's auspices over the coming months as it continues to fulfill a role as a "convener" as it hand off responsibility to other government groups. NIST may also host another public workshop in the next six months to review stakeholder experience, implementation progress and questions around long-term governance with what it calls Version 1.0 of the framework.

Cynthia Brumfield, President of DCT Associates, is a veteran communications industry and technology analyst. She is currently leading a variety of research, analysis, consulting and publishing initiatives, with a particular focus on cybersecurity issues in the energy and telecom arenas.


Previous Page  1  2  3 

Sign up for Computerworld eNewsletters.