After debacle, group pushes for tests of NIST cybersecurity framework

More needs to be done to identify what adoption of framework really means, ISA says

The Internet Security Alliance, a multi-sector trade association, wants to know what adoption of a new cybersecurity framework will entail for companies in critical infrastructure industries.

In a proposal pitched to the Department of Homeland Security and sector specific agencies, the ISA this week called for beta tests on the National Institute of Standards and Technology's framework to identify the cost-effectiveness of adopting the controls it recommends.

""We have already seen the results of not doing enough testing before launching a major program with," said Larry Clinton, president and CEO of the ISA. "Similarly, the cybersecurity framework needs to be tested just as the private sector would do with any major product or service before it was rolled," he said in a statement

The framework is a core component of President Obama's Cybersecurity Executive Order issued in February. It is designed to serve as a security best practices guide for companies in critical industries, including telecommunications, financial services and energy.

The framework offers specific guidance on how companies can identify assets that need to be protected, the controls and the standards that they can use to achieve that goal and measures they can take to detect, respond and recover from a cyberattack.

The framework, which was developed with extensive input from industry stakeholders, is not a standard by itself but more of an information resource that companies can use to identify and close gaps in their security. It is also designed to help companies evaluate their security posture and move them toward specific security goals.

The NIST released a draft version of the framework in October and is scheduled to release a final version in February.

Critical infrastructure companies are not required to follow the advice in the framework. But many expect that once the framework is released, it will become a de facto best practices guide for information security in critical sectors. Some legal experts have warned that companies that don't have the security controls referenced in the framework could find themselves exposed to liability issues in the event of a breach.

The government has said it will consider offering incentives to get companies to adopt the security measures recommended in the framework.

The big issue is that there is little to no clarity on what "adopting" the framework means, Clinton said in an interview with Computerworld on Friday.

"The government is saying that adopting the framework will get you this incentive. But first you've got to know what you have to do in order to get the incentives," he said. "We are going to have to get some clarity on what it means to adopt the framework," he continued. "Does it depend on the sector, do you have to adopt everything? These are issues we need to wrestle to the ground," before NIST rolls out the framework next year, he said.

According to Clinton, the best approach is to see how companies, especially small to medium-size businesses in critical infrastructure areas, hold up against the measures recommended in the framework. The goal should be to identify security gaps and to see how much it would typically cost for these companies to implement the recommended controls. The beta tests should also focus on the effectiveness of these controls, he said.

Without such information, many companies in critical sectors won't know what to do with the framework once it becomes available, or how much it would cost them to adopt the recommended controls, he said.

This article, After debacle, group pushes for tests of NIST cybersecurity framework, was originally published at

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingDepartment of Homeland SecuritysecuritygovernmentGovernment/IndustriesInternet Security Alliance

More about Internet Security AllianceTechnologyTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts