Cybersecurity has been a top priority for the Trump administration since May, when the President signed his long-anticipated and much-discussed executive order on cybersecurity. A key component of the order was the mandate for all federal agencies to implement the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
When the order was signed, there was uncertainty about how the mandate would be received. A recent survey found, though, that more than 80% of federal employees and contractors approved of the mandate, a sign of strong support for the CSF.
To learn more about the adoption rates of the CSF since its introduction in 2014, I spoke with Matt Barrett, Program Manager for the NIST CSF.
Richard Tracy, Telos: The adoption trend for the CSF seems to be pretty impressive. Do you have a perspective on adoption thus far? I’m curious to hear what you’re seeing and what you’re thinking.
Matt Barrett, NIST: I was impressed, going on surprised, when a year and a half into the Cybersecurity Framework, during spring of 2015, Gartner released that the CSF’s U.S. industry use would hit 50% by 2020. Gartner still forecasts an upswing in use based upon the increasing demands for NIST to discuss the CSF and based upon the number of new participants in the current evolution of the Framework.
Even outside of the U.S. NIST has had a bilateral dialogue with 30 different nations about the Cybersecurity Framework. There’s a great deal of thought alignment happening in countries such as Japan, Canada, the Philippines, Israel, and Italy.
Tracy: Wow, that’s fantastic. When you released the Framework in February of 2014, were you expecting the take-up that you’ve seen so far?
Barrett: Of course we hoped to produce something valuable and had reasonable assurances that what we were creating was, in fact, valuable because we did it in a “come-one, come-all” collaboration with public sector, private sector and academia. We believed and hoped that it would be accepted by those three communities going into February 2014, but what can you really expect?
It’s fair to say I don’t think we expected all the success that we have achieved. That adoption rate is really fantastic. What startup wouldn’t kill for a 50% market penetration? I mean, this is unheard of stuff.
Tracy: What would you say is the reason for such successful adoption rates? Is there any one thing that you could attribute to the CSF’s success?
Barrett: When it comes to adoption, I think the Framework’s group authorship has been absolutely crucial. Truly, we crowdsourced the development process and effectively reconciled different perspectives from people in different industries. I’d like to think what’s happening is an affirmation that we got the most out of that collective thought process to create something that constituents actually need.
Tracy: From a government standpoint, this crowd-sourcing idea is somewhat unique, right? Where did that idea come from?
Barrett: At the beginning, all we had was a blank sheet of paper. We said, ”How do we populate this? How do we reduce risk within critical infrastructure so we get to something that’s valuable and effective?” We decided that we needed to have facilitated group discussion if we were going to get it right.
In these kinds of circumstances you can easily run into basic communications challenges that prevent success, despite our best efforts.
This time around, being able to look eye-to-eye and read our collaborators’ body language was incredibly important to – not only to eliminate miscommunication – but to actually understand what compromise and a middle ground could look like. So, really that’s why we went in the direction we did.
Tracy: Do you think the voluntary nature of the Framework has contributed at all to the adoption rates and the success that you’ve seen?
Barrett: The voluntary nature for industry is definitely one of the main factors of the CSF’s widespread adoption because it allows for the freedom to customize it in a way that maximizes your business value. This way, people can feel at liberty to use the Framework in the ways that make the most sense for their organization. For some people, maybe that’s just using a five-word sentence in a board room discussion. For other people, maybe that means the full customization that’s available in this concept that’s called a profile.
Tracy: The CSF became mandated via the Cyber Executive Order in May. Is that something that you anticipated at all? Or was it a complete surprise to you?
Barrett: We’ve always anticipated that alignment to the federal approach that was developed out of the Federal Information Security Management Act of 2002 might be in our future. We also always thought that aligning with the approaches in Cybersecurity Framework would be really important. But we never anticipated a mandate like this.
Typically, we’ve coached constituents away from mandating since it might inhibit customization. I think, in the end, the executive order is a very high-level mandate. It says, ”You will use the CSF,” but there’s no prescription for how to use it. It walks the line very well between having a mandate, and allowing people to use the CSF in a way that provides the maximum value.