Industry experts and federal employees met at a workshop hosted this week at the National Institute of Standards and Technology in Gaithersburg, Maryland to hammer out the details of theÂ new federal cybersecurity framework draft requested by President Donald Trump in his executive order.
The frameworkÂ will fulfillÂ five key functions:Â identify, protect, detect, respond and recover. The document under discussion is formally titled “Framework for Improving Critical Infrastructure Cybersecurity,” but the concepts contained within it are widely used beyond the 16 industries that the government has termed âcritical.â
Each function is divided and subdivided so that there will be more flexibility to add or delete concepts at each level, noted NIST’s Matthew Barrett.Â There will be less flexibility to change high level concepts within the framework because the conceptual framework is meant to place pieces into a hierarchical continuum.
Much of the discussion revolved around the terms used for various parts of the protocols, how they would be implemented, and whether they would be cross-compatible with similar standards already employed by the Department of Defense.
The standards are designed to be âbackwards compatible,” meaning thatÂ organizations that have already adopted version 1.0 will be able to seamlessly adopt the new draft, said Barrett.
Attendees debated whether to eliminate the term “critical infrastructure” from the title of NIST’s document, arguing that theÂ concepts discussed have further reach than the term implies.
There was also debate around identity management and whether multi-factor authentication should be specifically referenced.
The topic that drew the most heat was the question of measuring cybersecurity protocols.Â ManyÂ industry experts expressed concern with how protocols will be measured, and what would be done if an agency or company was deemed to have not measured up.
While DOD contractors have dealt with cybersecurity metrics for years, other industries, like health and medicine, have not been subjected to the same level of industry-wide protocols.
While admitting theÂ need for high-level standards, attendees added that flexibility in implementation that matched the industries themselves would be the key to success.
As GovConWire previously reported,Â last week President Donald TrumpÂ signed an executive order designed to strengthen the cybersecurity of the federal government. The order requires National Institute of Standards and Technology (NIST) to provide a cyber-security process framework that all federal agencies comply with, andÂ imposes a 90-day process for the implementation of that framework.
National Institute of Standards and Technology (NIST), a non-regulatory body charged with developing cybersecurity standards for the federal government, is charged with the development of the framework the agencies must follow. After the protocol is agreed on, every federal agency will be given 90 days to meet a number of goals and benchmarks, as well as present a plan for how they will implement the NIST framework.
This story was originally published on May 19, 2017.