Six months after the National Institute of Standards and Technology issued its cybersecurity framework, a common misconception is that it's a checklist for the operators of the nation's critical infrastructure to use to reduce cyber-risk, says Adam Sedgewick, the federal government's point man on the framework.
The voluntary framework is a compendium of existing IT security standards, guidelines and practices, Sedgewick says, that's aimed to furnish critical infrastructure operators the know-how needed to address and manage cybersecurity risk in a cost-effective manner based on business needs.
"Organizations should use this as they think about how to manage risk, but they shouldn't treat it like every item is a must-do," Sedgewick says in an in-depth interview with Information Security Media Group.
One often-heard criticism of the framework, he acknowledges, is that it is not prescriptive; it doesn't furnish a step-by-step approach organizations should take to secure critical IT.
"There are a lot of organizations that are looking for additional detail," says Sedgewick, senior IT policy adviser at NIST. "One of the things that is important to us is that we invite that criticism and we want folks to be very honest about how they're using the framework, what they like about it and don't like about it, so the framework itself can improve and [NIST can] develop those tools as well that can help organizations in their struggle."
NIST this week issued a request for information that will solicit from stakeholders feedback on their level of awareness of the cybersecurity framework and their initial experiences implementing it. NIST will use the responses from the RFI to develop the agenda for the Oct. 29 and 30 workshop at the University of South Florida in Tampa to identify topics to incorporate into version 2.0 of the framework.
In the interview, Sedgewick addresses:
- Concerns organizations have raised about the cost of implementing the framework. Applying the framework shouldn't be seen as a budget-line expense but a critical component rooted into an enterprise's business activities, he contends. "This should be a factor in almost all of your organization's business decisions, and so that's what we're trying to get ingrained. It's not necessarily an expense, but really, it's something you should consider as you consider what your organization looks like and its underlying mission."
- The marketplace being created around the framework, with vendors offering products and service to help organizations implement it. "Part of what we'd look to see is to make sure that the products and services critical infrastructure operators rely on were also conforming somewhat to the framework."
- NIST's potential role in providing tools to make implementing the framework easier. "That's going to be one of the key questions for us. What is the right role for NIST, and what are the tools we can provide moving forward to help critical infrastructure?"
Sedgewick represents NIST on the Department of Commerce Internet Policy Task Force. He also advises NIST leaders on cybersecurity. Previously, Sedgewick served as senior adviser to the Federal Chief Information Officer Council, coordinating cross-agency initiatives and assisting in the implementation of Office of Management and Budget policy and directives. For nine years, he served on the staff of the Senate Committee on Homeland Security and Governmental Affairs, handling cybersecurity and federal information technology policy.