The National Institute of Standards and Technology (NIST) released a preliminary version of the Cybersecurity Framework on Tuesday, two months after a draft became available for public comment.
The preliminary framework is largely the same as the August draft (Defense Daily, Aug. 30) with the exception of an expanded section on privacy and civil liberties as well as additional guidance on how critical infrastructure companies can use it.
 |
| NIST Director and Under Secretary for Standards and Commerce Pat Gallagher. |
NIST expects to release the final version in Feb. 2014, a year after President Obama announced the executive order calling for the voluntary guidelines, Pat Gallagher, director of NIST and undersecretary of commerce, said on a conference call.
Gallagher said that the framework will remain a “living document” and that it “must evolve to meet the business needs in real time.” Like the draft versions, the final framework will include “areas for improvement” to encourage further discussion. Gallagher said he expects the question of incentives and measuring companies’ conformity to the framework to be among the evolving aspects of the document.
Although Congress’ function in the framework process has not been determined, Gallagher said there “will be a role for Congress as this continues to go.” Congress could become important in approving financial or legal incentives for participating companies, if such widely discussed measures are formally proposed.
“What you really want to do now is find the friction points…and that’s really where the incentive questions need to be adopted,” he said. “Now in the context of this framework we can have a more specific discussion of what is needed.”
Responding to increased concern about the framework’s emphasis on information sharing and what that means for privacy, Gallagher said privacy will be the focus of a panel at the fifth workshop on the framework next month in Raleigh, N.C.
He emphasized that the framework is not mandatory, meaning that it cannot create new regulations on privacy that some companies have feared could become burdensome.
The framework also does not create an assumption of liability for companies that do not participate and then later become victims of cyber attacks, Gallagher said, responding to issues raised by members of the media.
In a statement on Tuesday, security firm McAfee, which is a division of Intel Corp. [INTC], came out in support of the framework.
“Many critical infrastructure industries are regulated to some extent already, and often the rules prove more of a hindrance than a help,” Tom Conway, Director of McAfee Federal, said in an email to reporters. “We think this would be the case with cyber security regulation, and therefore we favor mechanisms such as the voluntary framework.”