The National Institute of Standards and Technology (NIST) Cyber Security Framework was created through the White House Executive Order 13636 in 2013, calling for improving critical infrastructure cybersecurity. This came at a time where there was a convergence of operational technology with information technology.
Since the creation of the NIST Cyber Security Framework, it has been highly regarded all over the world as a tool for regulating cyber space.
To learn more about the framework, OpenGov recently spoke to Matthew Barrett, Program Manager, Cyber Security Framework, NIST, about how the infamous framework was developed with the help of public-private sector collaboration and what they are doing to improve it over time.
He took on the position of Program Manager in 2014 after Kevin Stine, who worked during the development of the framework.
“I have taken over this post over a year ago to cover this era of understanding and use of the framework,” said Mr. Barrett.
Mr. Barrett comes from a program and executive management background. He brings a unique perspective to the Cyber Security Framework team, as he is able to highlight greater concerns such as risk management.
In creating the framework, the team at NIST travelled around the United States to five different cities, aiming to reach a broad amount of perspectives on cyber security. They hosted workshops with cyber security industry professionals and experts so that they could learn what they desired from the framework.
“We tried to reach the broadest amount of perspectives possible so that the framework would be useful!” stated Mr. Barrett.
When we asked Mr. Barrett how frequent this framework is being revisited, he explained why it does not happen as often as you may think.
“NIST’s perspective is a balancing act because you do not want to burden the framework too soon. That can actually stifle adoption,” Mr. Barrett explained to us, “You want folks to have a good time to figure out understand and decide how they are going to use it. Then they can adopt and adapt it as they will, to get the most value out of it.”
Late 2015, NIST took to the cyber security industry to ask if it was time to update the framework and what things people would like to see adjusted.
To this, they have received a lot of positive feedback about the framework. In addition, over 24 foreign governments had expressed alignment with the Cyber Security Framework principles and their interest in adopting parts of it within their own policies.
“This enhances the value proposition of the Cyber Security Framework as a translational tool,” Mr. Barrett exclaimed.
The framework is built for worldwide adoption because it is overarching functions with 22 categories and 98 subcategories. At that level of abstraction, it is a universal translator for cyber security standards.
“Having a unified view of the cyber security outcome at hand is critically important to making sure cyber security hits the mark,” stated Mr. Barrett.
We asked Mr. Barrett if there are any industries which have challenges to adopting the standards set by the Cyber Security Framework. He explains that it isn’t always such a simple picture for everyone, depending on what industry they come from.
“There are industries that are more distributed by their nature, and others are more centralised. For example, the financial services industry is very centralised and thus, very easy to get information out there and back quickly,” said Mr. Barrett, “We hear good feedback from those who are decentralised, such as dams and water participants. When your mission is far removed from cyber security, once we start relaying this increasing connectedness between cyber and physical, people tend to understand and agree that we need such a framework in place.”
With the growing IoT landscape, there have been many challenges that the security industry has had to address, when it comes to security.
To this, Mr. Barrett suggested that time is repeating itself and we reach some of the same challenges as when we first approached the convergence of operational and information technology.
“The internet of things is a distributed and more commonly available version of the convergence between operational and information technology,” Mr. Barrett said, “I think that network connected dimension that came to process controlled systems overtime, represents the same issue we face with the growing landscape of IoT.”
To provide more support to organisations, NIST is working to catalogue industry resources to list on their website. From time to time, the team updates their FAQ section to provide answers to some of the most pressing questions from the industry.
As the team behind the framework is rather slim, they also try to reach out to security professionals at meetings and conferences being held across the US.
NIST has just closed its framework response window but they will use this feedback to culminate a workshop at NIST from the 6th until the 7th of April, 2016. They welcome visitors from all over the world to their workshop which will touch on the developments of the Cyber Security Framework.