Drafting of U.S. Cybersecurity Framework 'Essentially Complete,' NIST Director Says

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Alexei Alexis  

Sept. 25 -- The drafting of a voluntary U.S. cybersecurity framework for the private sector is "essentially complete," National Institute of Standards and Technology Director Patrick Gallagher said Sept. 25.

"We are at the end, but we're only at the end of the beginning," Gallagher said at a cybersecurity summit in Washington. "Now we are really focused on taking what has been a remarkable effort and translating and driving it into practice. And for me, the litmus test of success is going to be the extent to which this framework becomes integrated with the way we operate."

The summit was sponsored by Billington Cybersecurity, a division of the Cyber Education Institute LLC, based in Chevy Chase, Md.

Under an executive order signed by President Barack Obama earlier this year, NIST must release a draft framework for public comment next month and publish a final version by February 2014 . NIST released a preliminary draft framework for discussion at a Dallas workshop in September .


Gallagher: NIST on Track.

Gallagher indicated that he expected the agency to meet its October deadline. "The NIST team has completed their work reflecting the last input from the Dallas workshop, and it will shortly go into a clearance process in time for a release that's called for in the executive order," he said.

Although the voluntary framework is primarily designed for owners and operators of U.S. "critical infrastructure" and their partners, it is expected to benefit a broader array of organizations across the private sector that are facing cybersecurity challenges, according to NIST, a division of the Department of Commerce.


Cybersecurity Incentives Weighed.

The White House Aug. 6 unveiled preliminary recommendations from the Departments of Commerce, Homeland Security, and Treasury on incentives that can be used to encourage industry adoption of the framework .

The DHS is expected to coordinate the development of a program with incentives to promote the framework, once it has been finalized. In addition, regulatory agencies must review existing cybersecurity mandates to determine whether they are adequate in light of the framework.

By Alexei Alexis  

To contact the reporter on this story: Alexei Alexis in Washington at aalexis @bna.com

To contact the editor responsible for this story: Heather Rothman at hrothman@bna.com

Request Bloomberg Law Privacy and Data Security