Why the NIST framework needs to be the common language of cybersecurity

There is no doubt the importance of cybersecurity has exploded exponentially over the past few years, culminating in 2016-2017, when it seems to dominate headlines on a daily basis.

Now that President Donald Trump’s cybersecurity executive order is out, it has become more important than ever to discuss the kind of cyber-world we want to live in. Despite the amount of coverage and resources devoted to the topic, the field is still evolving dramatically. We have an understanding of what we can do and that it needs to be regulated and protected, but we haven’t determined how exactly we’re going to protect this new world.

We’ve created some structure in this world, but a single cohesive language has not evolved out of that. The United States needs to determine exactly how we are going to exist and communicate in cyberspace. People cannot participate in cyberspace by simply creating and disposing of their own rules, nor can people exist in cyberspace without a means to communicate with each other.

The National Institute of Standards and Technology (NIST) has attempted to create a language for us to be able to communicate and collaborate with each other in this space. This is something, I believe, we all need to be onboard with.

Flexibility is paramount

With its mission of perseverance, integrity, inclusivity, and excellence, NIST has the same goals that we all do when it comes to cybersecurity. Further, with the recent NIST Cybersecurity Framework, Assessment and Auditing Act, they have been given the nod to assess how well we are all doing in this new world. With an idea of how prepared major agencies and organizations are for participating in our cyber community, we have given them the ability to create a path towards a more secure and collaborative space.

In fact, according to the NIST Cybersecurity Framework (CSF), NIST has been adopted by about 30 percent of U.S. companies since its release three years ago and that number could reach 50 percent by 2020. This means that the floor opens up for increased collaboration. With everyone on their way to speaking the same language in cyberspace, we are well on our way to exploring the unknown and more deeply developing what we’ve already discovered.

Further, Matthew Barrett, the framework’s program manager, shared that we, the members of the cyberspace community, are getting the chance to help form our own language.

Cybersecurity is not a one-size-fits-all task. The NIST CSF was created with that in mind. Like language, a framework gives everyone a basis to start in the same place. How you use language and what you do while using it isn’t something that should be mandated, because at that point it stifles creativity. NIST gives us the flexibility to secure cyberspace without making it a constrictive environment.

The future of cyber: A bipartisan concern

When the CSF is finalized within the next two months, it is impossible to ignore the effect that it will have on cyberspace.

The NIST CSF Assessment and Auditing Act or the cybersecurity executive order will also have immense implications on our community.

While there are arguments for and against this cyber legislation, it is important to keep our eyes on its progress, regardless of what happens.

“Our goal is to get us on the right path and give people information,” NIST Fellow Ron Ross said. “It’s all about transparency, so you can make better risk-based decisions at the end of the day.”

We need to look at what we have and figure out the best way to move forward, no matter what happens or what side of the aisle we sit on. We should be certain that we take care of NIST, which will mean different things to different people.

I argue that that’s a good thing because differing perspectives being considered and coming to a compromise will lead to more widespread acceptance. With the adoption of the NIST CSF by all, we have the potential to unite the digital world and work towards a more collaborative, communicative future. Without this standardization, there will be no consistency in our language; And without consistency, it becomes difficult to defend what we hold so dear.


J. Kevin Reid is the vice president of national security and CIO for KeyLogic Systems

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.