Last week in Raleigh, North Carolina, the National Institute of Standards and Technology (NIST) hosted a fifth and final workshop on the development of a comprehensive critical infrastructure cybersecurity framework as the February 2014 deadline for finalizing the ambitious effort draws near. After an intensive amount of work on a complex and thorny subject, many of the participants, particularly those who participated in all five of the workshops, were in awe over how far NIST has come since it received its marching orders via President Obama's executive order last February.
But as could be expected, there are a lot of issues that have yet to be resolved. As my latest piece for CSO Magazine spells out, one major question remains unanswered despite the prodigious work by NIST and industry collaborators: what constitutes adoption of the framework? Without really good answers to this question, the framework itself could become a hollow exercise that, while representing good thinking and practices, does very little in reality to raise the cybersecurity bar. The definition of adoption as well as related issues (such as the incentives needed to adopt the framework) got a lot of airtime among the attendees in North Carolina.
A well-organized effort to get NIST to overhaul its latest attempt to incorporate privacy and civil liberty considerations into the framework was one of the more surprising aspects of the workshop. The framework's privacy appendix is too broad and should be pared down to deal only with privacy matters as they relate to cybersecurity, a number of top infrastructure industry reps said.
NIST has some, but not much, time left to tinker further with the framework before it becomes final. And the group is still fielding feedback during an open comment period that ends in December.
For more information on the latest workshop, check out my article in CSO.