The National Institute of Standards and Technology concluded a two-day workshop Wednesday developing the first update to cybersecurity guide recently mandated for use by federal agencies.
NIST, a wing of the Department of Commerce, developed the original Cybersecurity Framework in 2014 as a voluntary, flexible way for businesses to create a cybersecurity plan. It emphasizes risk management rather than meeting systems of standards and is generally seen as a good building point for organizations of all sizes and types.
The workshop debated ways to update the guide for advice on modern security standards like multifactor identification, supply chain management or easing the way for third-party researchers to report security flaws. Also on the table were topics such as internet of things and security metrics.
The Cybersecurity Framework is used the world over — 15 countries were represented at the workshop.
Participants said it went better than expected.
"In the past, people came to these to listen and learn about the framework, but the level of expertise rose this time. I was pleasantly surprised how prepared people were to work," said Kent Landfield, director of standards and technology policy at McAfee.
Last week, President Trump signed an executive order on cybersecurity that mandated federal agencies use the NIST framework. But NIST emphasized at the workshop that the primary stakeholders for the 1.1 version would still be businesses. Early drafts rankled those stakeholders with a section on federal alignment that has since been removed.
"[Agencies using it], that's all fine and dandy. We encourage federal agencies to use it, and we've always considered the government a stakeholder. But it is a document used across international boundaries," said Landfield.