Industry experts and federal employees met at a workshop hosted this week at the National Institute of Standards and Technology in Gaithersburg, Maryland to hammer out the details of the new federal cybersecurity framework draft requested by President Donald Trump in his executive order.
The framework will fulfill five key functions: identify, protect, detect, respond and recover. The document under discussion is formally titled “Framework for Improving Critical Infrastructure Cybersecurity,” but the concepts contained within it are widely used beyond the 16 industries that the government has termed “critical.”
Each function is divided and subdivided so that there will be more flexibility to add or delete concepts at each level, noted NIST’s Matthew Barrett. There will be less flexibility to change high level concepts within the framework because the conceptual framework is meant to place pieces into a hierarchical continuum.
Much of the discussion revolved around the terms used for various parts of the protocols, how they would be implemented, and whether they would be cross-compatible with similar standards already employed by the Department of Defense.
The standards are designed to be “backwards compatible,” meaning that organizations that have already adopted version 1.0 will be able to seamlessly adopt the new draft, said Barrett.
Attendees debated whether to eliminate the term “critical infrastructure” from the title of NIST’s document, arguing that the concepts discussed have further reach than the term implies.
There was also debate around identity management and whether multi-factor authentication should be specifically referenced.
The topic that drew the most heat was the question of measuring cybersecurity protocols. Many industry experts expressed concern with how protocols will be measured, and what would be done if an agency or company was deemed to have not measured up.
While DOD contractors have dealt with cybersecurity metrics for years, other industries, like health and medicine, have not been subjected to the same level of industry-wide protocols.
While admitting the need for high-level standards, attendees added that flexibility in implementation that matched the industries themselves would be the key to success.
As GovConWire previously reported, last week President Donald Trump signed an executive order designed to strengthen the cybersecurity of the federal government. The order requires National Institute of Standards and Technology (NIST) to provide a cyber-security process framework that all federal agencies comply with, and imposes a 90-day process for the implementation of that framework.
National Institute of Standards and Technology (NIST), a non-regulatory body charged with developing cybersecurity standards for the federal government, is charged with the development of the framework the agencies must follow. After the protocol is agreed on, every federal agency will be given 90 days to meet a number of goals and benchmarks, as well as present a plan for how they will implement the NIST framework.