Gallagher Urges Continued Industry Engagement as NIST Works on Cybersecurity Framework
Industry stakeholders must remain engaged in development and implementation of the Cybersecurity Framework as the National Institute of Standards and Technology moves into the process of creating a final version of the framework for release in February, said NIST Director Patrick Gallagher. NIST released a preliminary version of the framework Tuesday to collect public input (CD Oct 23 p1). That input will include a fifth framework development workshop Nov. 14-15 at North Carolina State University’s Centennial campus in Raleigh. In addition to seeking input on specific parts of the framework, NIST will discuss possible structures for an independent, industry-led body to take charge of further revisions to the framework, Gallagher said during a USTelecom event Friday.
Industry must “take the lead going forward,” said Gallagher. The framework was never meant to be a government-created methodology, he said. NIST will continue to provide a supporting role, including through its National Cybersecurity Center of Excellence, through which the agency anticipates much of its work will involve companies looking to implement the framework, Gallagher said. Early adopters of the framework will have the “strongest hand” in deciding its future course, including governance structure and international ramifications, he said.
Industry must also continue to “roll up its sleeves” and improve the metrics for determining the success of framework adoption, Gallagher said. Although some metrics exist, it was one of the areas identified in the preliminary framework as needing improvement. Congress has an essential role to play in the cybersecurity policy realm, Gallagher said, saying the Senate Commerce Committee approved the Cybersecurity Act (S-1353) in July. The bill would authorize NIST to work with industry on an ongoing basis to develop cybersecurity guidelines and best practices (CD July 31 p1). Congress must also “pay attention” to the need for additional incentives to encourage framework adoption, Gallagher said.
Senate Commerce Committee leaders Chairman Jay Rockefeller, D-W.Va., and ranking member John Thune, R-S.D., chose not to include incentives in the Cybersecurity Act because they wanted to see the preliminary framework and get industry feedback on it, said Nick Rossi, the committee’s deputy Republican staff director. “Once you start talking about incentives, you have a hard time not turning it into a compliance program.” Rockefeller and Thune wanted to get industry feedback on the most effective incentives “before we go down that road,” Rossi said.
Internet Security Alliance President Larry Clinton said incentives are the “high-octane fuel” needed to power the framework, saying if Congress and the White House don’t develop effective incentives, NIST’s work will have been a waste. Other Senate committees also have an interest in cybersecurity policy, and once they produce bills Senate Commerce will see whether they're compatible with the Cybersecurity Act, Rossi said. The political landscape for some cybersecurity policies -- particularly information-sharing measures -- has become “more challenging” since leaks about the National Security Agency’s surveillance programs began in June, he said. (jphillips@warren-news.com)