NIST Issues Preliminary Cyber FrameworkGallagher Emphasizes Voluntary Nature of Framework
In releasing the preliminary version of the cybersecurity framework on Oct. 22, the head of the National Institute of Standards and Technology re-emphasized the voluntary nature of the guide. But he said critical infrastructure operators have a responsibility to adopt the recommended IT security best practices.
President Obama, in an executive order issued in February, directed NIST to work with representatives of the private sector to create the framework of information security best practices that could be voluntarily adopted by critical infrastructure organizations, most of which are private companies (see Obama Issues Cybersecurity Executive Order).
Critics of voluntary standards contend they become, in effect, government regulations because they create industry standards, and courts could find critical infrastructure operators liable should a breach occur if they failed to follow industry best practices (see New Case Against Voluntary Standards).
NIST Director Patrick Gallagher dismissed that argument, saying there's no implied liability being inserted into the cybersecurity framework. "The intention is quite emphatic and explicit in the executive order; it's to provide an approach to disseminate best practices," Gallagher said at a press briefing.
But he argued that most security experts would agree that implementing the best practices is important.
"As it was defined in the executive order, critical infrastructure was designated as those things that, if they were compromised through a cyber-attack, would cause grave harm to the country," said Gallagher, who also is the Commerce Department's undersecretary for standards and technology. "So I think there was no question this was designed about be being assistive and supporting what I think almost every organization I spoke to in this process believes, which is, it's in their own interest ... to use the best practices they can."
NIST was originally slated to issue the preliminary cybersecurity framework on Oct. 10, but the release was delayed because of the partial government shutdown (see NIST: Framework Getting Back on Track). NIST officials say they're still on target to publish the final cybersecurity framework in February, as ordered by Obama.
Enhanced Privacy Protections
Adam Sedgewick, the NIST senior IT policy adviser who's coordinating the effort to create the framework, said the main difference between the latest version of the framework and a draft version issued in August was the inclusion of provisions to strengthen privacy and civil liberties protections and additional guidance on how to use the framework.
NIST says more than 3,000 individuals and organizations, including infrastructure operators, have contributed to the framework. In the coming days, NIST will open a 45-day public comment period on the framework. NIST will hold its final public workshop to discuss the framework on Nov. 14 and 15 at North Carolina State University in Raleigh. The workshop will focus on the framework's implementation and governance.
Correction: An earlier version of this story incorrectly reported that more than 300 individuals and organizations have contributed to the cybersecurity framework. The correct number is more than 3,000.