Cybersecurity Framework: Tests Needed?Debating the Merits of Beta Testing NIST's 'Final' Guide
The creators of the cybersecurity framework will soon begin writing the final version of the guide to information security best practices aimed at helping the operators of the nation's critical infrastructure secure their information assets (see: Obama, CEOs Meet on Cybersecurity Framework).
But calling it a "final version" is misleading. True, the IT security experts at the National Institute of Standards and Technology, who are shepherding the drafting of the cybersecurity framework, expect to make the Feb. 13 deadline imposed by President Obama. But Adam Sedgewick, the NIST official overseeing the cybersecurity framework, characterizes it as a living document that will be revised over the years as new cyberthreats appear and new ways to mitigate those threats emerge.
We have a lot of expectations from industry to get this thing out in February.
The framework will consist of standards, guidelines and best practices aimed to help owners and operators of critical infrastructure manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties. Adoption of the framework will be voluntary.
Seeking More Industry Feedback
Since Obama directed NIST last February to create the cybersecurity framework, it has held five workshops where it solicited advice from stakeholders on what should be incorporated in the document. Since then, Sedgewick, NIST's senior information technology policy adviser, has hit the road, attending meetings and conferences seeking more ideas from those outside of government.
Stakeholders have until Dec. 13 to submit their suggestions to NIST at firstname.lastname@example.org.
Sedgewick says NIST should begin to reduce its involvement in the evolution of the framework after mid-February by helping to create a governance structure in which the private sector, not the federal government, takes the lead for future revisions.
Beta Test Needed?
But there's another reason why the February document won't be the final version, according to Larry Clinton, president of the trade group Internet Security Alliance. He argues that the cybersecurity framework should be beta tested before the Obama administration approves it.
"We have already seen in the healthcare website [HealthCare.gov] debacle the results of stringently adhering to artificially determined deadlines and not doing adequate testing," Clinton says. "We are simply proposing the federal government do what any private-sector entity would do before it goes to a full launch of a new product or service - you run a beta test with selected target audiences and generate data to refine the product before you go to full deployment."
Clinton tells me, however, that he's not suggesting a delay in publishing the framework details in February.
"We don't think of it as delaying the framework," he says. "We think of it as doing what you would do with any commercial product or service - you go from the design stage, which is what we're issuing in February, and go into a testing phase."
Clinton says most large critical infrastructure operators could announce in February they're adopting the framework because it will largely incorporate the best practices they've implemented already. But he says many smaller critical infrastructure organizations without a sophisticated IT security program in place - say, a local water utility - would need to invest big bucks to implement the framework, and that wouldn't be wise without it first being tested.
Providing Cost-Benefit Analysis
"By doing the test, companies will be able to get data to encourage them to do it much faster," Clinton says. "When you have data and you can go to companies and say, 'This is going to increase your security by this amount, this is going to have this sort of cost-benefit analysis;' that kind of data is going to motivate better adoption than the absence of any data, which would be the case if we don't do the test."
Clinton wouldn't offer an estimate of how long such testing would take or how costly it would be. He suggests that industry and government share the cost of beta testing the cybersecurity framework.
Sedgewick agrees that the framework should be beta tested, but sees that as part of the normal evolution of the framework after the Feb. 13 deadline. "I didn't get the sense that Larry was asking us to delay our work," he says. "We have a lot of expectations from industry to get this thing out in February. We've been saying that. A lot of the feedback we've gotten already is that this is a voluntary program. We expect this to evolve."
The final version of the cybersecurity framework, Sedgewick adds, will incorporate more materials than previous draft versions to help smaller companies launch a cybersecurity initiative, furnishing them with a step-by-step implementation approach, without having companies initially commit to a big investment. "If you are a small company without a cybersecurity program, there are tools in the framework to help you get started," he says.
Businesses Need to Step Up
Perhaps it's just semantics. Sure, best IT security practices should be vetted. And that will be done after the February release of the cybersecurity framework. But don't discount the responsibility of the end-users - the critical infrastructure owners regardless of size - to conduct their own beta tests. The administration-driven cybersecurity program is voluntary because of strong feelings by many in the business community and Congress - mostly Republicans - that government should not dictate to the private sector - including critical infrastructure owners with businesses vital to our nation's survival - how they should secure their IT systems.
That means the burden of testing IT security best practices - whether it's the cybersecurity framework NIST champions or other approaches - should rest mostly with the businesses themselves.