The cybersecurity team at the National Institute of Standards and Technology (NIST) is about to finalize a new version of a signature document, the Cybersecurity Framework. Next week, it holds a workshop to get one last round of input on the framework draft. Joining Federal Drive with Tom Temin , the chief of NIST’s Applied Cybersecurity Division, Kevin Stine.
Tom Temin Let’s begin. Basically, what exactly is the cybersecurity framework that you’re about to launch version 2.0 of? And maybe then tell us how that relates to the various publications that NIST has the library of specifics on cybersecurity.
Kevin Stine Yeah, absolutely. So the cybersecurity framework, in my mind, is a tool to help agencies and other organizations, certainly a very broad user community, to better understand, manage and reduce cybersecurity risk. It’s based on existing standards and guidelines, is based on existing practices for organizations to really help them do that. And the Body of NIST, Cybersecurity and privacy resources, the special publications and other outputs that we produce with the community are really intended to help organizations achieve the cybersecurity outcomes that are expressed in the cybersecurity framework.
Tom Temin And the framework is used pretty much across the board, correct, across the government. But industry also often adopts that as a way of looking at cyber. Correct?
Kevin Stine Yeah, very much so. The framework does have a very broad kind of user community and audience. I would say it initially started back in 2013 with an executive order that was really focused on voluntary use by critical infrastructure owners and operators. But over the last decade we’ve seen it become required for federal agencies through follow on executive orders. We’ve seen just tremendous voluntary adoption by industries, by other layers of government, state and local governments, for example, or even internationally because of the value that common language that the framework provides just has a tremendous value proposition for all different shapes and sizes of organizations.
Tom Temin And could one reason for that be is that you get wide participation each time you launch a document, or more importantly, the updates, which come pretty regularly. We’re now at 2.0 of the framework. I mean, who all gives you input here?
Kevin Stine So we get input and we actually actively seek input from a very diverse audience, very diverse user base. Again, all the types of organizations I mentioned before, public, private, nonprofits, you know, large, small, you name that we really go out and try to engage with as many parts of the stakeholder community as possible, both domestically and internationally, to get informed on things that will, you know, how’s the framework working for them today? What are the things that work well? What are the things that need greater clarity? Are there new features or, you know, additions to the framework that would provide even greater value and that type of input through the different types of stakeholder engagement we do, including the workshops like one we’re hosting next week, are really central to our ability to do that.
Tom Temin How specific does the framework get to the particular, I don’t know, environment at the moment for cybersecurity because different types of threats come and go. SolarWinds type of attack happened and wow, that’s something new. And then there was the log based attacks. Well, that was something new too. There’s always something new like that. How does the framework take into account the fact that there’s always some new threat and that the landscape this year is different from, you know, a month ago?
Kevin Stine It absolutely is. And that landscape will be potentially slightly different from one organization or one sector to the next. You know, we want to keep the framework. We want it to be threat informed, but also technology and sector agnostic and threat agnostic in some ways. So the framework is really, you know, structured to be outcomes focused. So what are the important cybersecurity outcomes that organizations might need to achieve to help them better identify, assess, managed and really reduce risk? And that would take into account the diverse types of threats, both things we’ve observed today, as well as things that maybe we haven’t observed yet, but will be new things that affect agencies and other organizations. So really taking that technology and business process neutral approach is actually one of the values of the framework. And I think why we see such broad adoption, because it’s flexible.
Tom Temin So the idea is to teach people to fish but not put a worm on their hook.
Kevin Stine Yeah, I think that’s a good way to describe it.
Tom Temin All right. We’re speaking with Kevin Stein. He is chief of the applied Cybersecurity Division at the National Institute of Standards and Technology. Is it possible to write something like this in reasonably plain English?
Kevin Stine You know, we’ve tried our hardest to do that. You know, certainly a lot of the resources we produce are on very technical topics, and we try to use plain language as much as possible to describe those both, you know, what it is and why it’s important, why organizations should care. At some point, we do get into the nitty gritty technical details, but I think the cybersecurity Framework tried to break that mold a little bit because of the diverse audience. We wanted this to be really a big tent approach, bring as many types of users in different communities, in not just the cybersecurity professionals, but the C-suites and the board of directors who have such a critical role in the cybersecurity risk management process, but also the other parts of organizations that have an outsized influence on cybersecurity, whether it’s legal or acquisition or human resources. You know, all of those organizations, parts of organizations have very important roles and have to be brought into this discussion. And we can’t do that through a deep technical discussion. You know, that unique cybersecurity language that many of us speak, but not everyone does. So the framework was really developed in a way, and it’s always being improved to help be more, more of a digestible resource for very different types of people.
Tom Temin And you’re not exactly engaging in rulemaking here, but you use some of the forms of rulemaking, especially taking in comments and publishing them. And just looking around your site, it looks like you make a pretty good effort at making sure this whole process is transparent by actively publishing and giving links to all the comments that everyone has made.
Kevin Stine You know, everything we produce in our NIST cybersecurity and privacy program is done in a very open and transparent and collaborative way. And certainly the framework has followed that exact same process. I think that really helps to instill both trust in the process, but also trust in the final product that we produce. In this case, you know, whether it’s a standard or a framework or some other resource. And I think, you know, the benefit of that is that I think it leads to greater and more meaningful adoption of those resources, which is ultimately what we want to see. You know, these resources being used and adopted in ways that make improvements to our cybersecurity within organizations, but also across the nation as well in workshops and other stakeholder engagement are such a critical part of that.
Tom Temin And in recent years we’ve seen the emergence and the lavish funding growth of the Cybersecurity and Infrastructure Security Agency over at the Homeland Security Department. Do you collaborate with them a lot, since they own much of the operational aspects of cyber for the federal government.
Kevin Stine Yeah, we absolutely do. We collaborate with many federal agencies. I would venture to say probably all in some way, but very closely with CISA on a number of different areas. Certainly, you know, because they have that keen operational focus and their resources, they have tremendous expertise and relationships with agencies and the private sector on those operational matters. We want to learn from them and hopefully, you know, help inform some of their activities as well. I think their operational role really helps to inform our cybersecurity guidance, our frameworks and other resources to continue to make sure those are going to be responsive to the current threat environment and the needs of the community and through our development process for these resources. Absolutely, we share with them in hopes to inform some of their operational activities as well. So it’s a great relationship. We have very strong one.
Tom Temin And tell us about the workshop. That’s next week. Kind of a final round of input before you go from draft 2.0 to final?
Kevin Stine Yeah, we’ve had a couple of virtual and hybrid workshops over the last year leading up to where we are today with the framework. I’m super excited about next week’s. This will be the last in a formal workshop before we intend to issue a final 2.0 cybersercurity framework 2.0 in the winter of 2024. Next week’s workshop. It’s a two day workshop. The first day is going to be a hybrid. There will be an in-person component as well as a virtual component for folks that follow along around the world that the first day is going to be entirely panel based. We’ll have experts from different parts of the industry, industry and government across different sectors, you know, helping to share their expertise and inform some of the key improvements that we’re seeking to make in the framework, whether it be around organizational governance for cybersecurity or cybersecurity supply chain, the relationship to standards and guidelines and other critical areas as well. So super excited for that. The second day is going to be in-person only and those are really going to be the roll up your sleeves working sessions where we have facilitated discussions, smaller group discussions, where we really go deep into the framework, look at the actual text that’s in the framework and make sure that the words we’re using and the things we’re focusing on are the right things that we’re doing that in a way that is going to be meaningful with community. So we’re super excited. I know we always get so much out of these and I’m confident next week will be the same.