The implementation responsibilities for the cybersecurity framework developed and released last week by the National Institute of Standards and Technology (NIST) now fall into the hands of the critical infrastructure companies and operators, Patrick Gallagher, the head of NIST said today at a Brookings Institution event. Despite the fact that many activities surrounding the framework now shift from NIST to the Department of Homeland Security (DHS) under the cybersecurity executive order issued by President Obama last year, "I actually don’t view the implementation responsiblities passing to DHS," Gallagher said.
"I think it’s important to keep in mind that there are three things happening here. One is that the framework process continues and NIST continues to act as a convener so nothing has changed on that front at all."
"What DHS is doing is establishing a voluntary program that is there to support and promote adoption," he said. "The most powerful force driving adoption are the companies themselves. This is not just about what you do internally. [I]t’s about your relationship with your vendors, your suppliers, your supply chain, the other companies you work with in your sector. Those are actually more powerful than anything we've been discussing" [on the government side].
But the federal government, and NIST itself, will continue to play a key role in shaping further changes to the framework, although NIST has not yet announced a revision schedule for the framework. "What we've done is deliberately create a bit of a pause…for the very reason that we don’t want to get in the way of the adoption piece. We really want companies to use this and we want the [revision] process to be informed by companies that are using the framework," Gallagher said.
And Gallagher hinted that NIST might continue to play a major role in the framework's application and development by pointing to the Smart Grid Interoperability Panel (SGIP), a non-profit organization which facilitates the use of NIST-developed smart grid standards, as a potential model for the cybersecurity framework's governance. "How do we set up a governance scheme where all these different companies can get work together and turn this into a ongoing routine process?," he asked.
"In smart grid, the SGIP was put together because the stakeholders felt there wasn't an existing organization that could facilitate the process," Gallagher said, inferring that perhaps such an organization could be developed for the cybersecurity framework. NIST is extensively involved in the management and activities of the SGIP.