The creators of the cybersecurity framework will soon begin writing the final version of the guide to information security best practices aimed at helping the operators of the nation's critical infrastructure secure their information assets (see: Obama, CEOs Meet on Cybersecurity Framework).

But calling it a "final version" is misleading. True, the IT security experts at the National Institute of Standards and Technology, who are shepherding the drafting of the cybersecurity framework, expect to make the Feb. 13 deadline imposed by President Obama. But Adam Sedgewick, the NIST official overseeing the cybersecurity framework, characterizes it as a living document that will be revised over the years as new cyberthreats appear and new ways to mitigate those threats emerge.

 We have a lot of expectations from industry to get this thing out in February. 

The framework will consist of standards, guidelines and best practices aimed to help owners and operators of critical infrastructure manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties. Adoption of the framework will be voluntary.

Seeking More Industry Feedback

Since Obama directed NIST last February to create the cybersecurity framework, it has held five workshops where it solicited advice from stakeholders on what should be incorporated in the document. Since then, Sedgewick, NIST's senior information technology policy adviser, has hit the road, attending meetings and conferences seeking more ideas from those outside of government.

Stakeholders have until Dec. 13 to submit their suggestions to NIST at This email address is being protected from spambots. You need JavaScript enabled to view it..

Sedgewick says NIST should begin to reduce its involvement in the evolution of the framework after mid-February by helping to create a governance structure in which the private sector, not the federal government, takes the lead for future revisions.

Beta Test Needed?

But there's another reason why the February document won't be the final version, according to Larry Clinton, president of the trade group Internet Security Alliance. He argues that the cybersecurity framework should be beta tested before the Obama administration approves it.

"We have already seen in the healthcare website [HealthCare.gov] debacle the results of stringently adhering to artificially determined deadlines and not doing adequate testing," Clinton says. "We are simply proposing the federal government do what any private-sector entity would do before it goes to a full launch of a new product or service - you run a beta test with selected target audiences and generate data to refine the product before you go to full deployment."

Clinton tells me, however, that he's not suggesting a delay in publishing the framework details in February.

"We don't think of it as delaying the framework," he says. "We think of it as doing what you would do with any commercial product or service - you go from the design stage, which is what we're issuing in February, and go into a testing phase."

Clinton says most large critical infrastructure operators could announce in February they're adopting the framework because it will largely incorporate the best practices they've implemented already. But he says many smaller critical infrastructure organizations without a sophisticated IT security program in place - say, a local water utility - would need to invest big bucks to implement the framework, and that wouldn't be wise without it first being tested.

Providing Cost-Benefit Analysis

"By doing the test, companies will be able to get data to encourage them to do it much faster," Clinton says. "When you have data and you can go to companies and say, 'This is going to increase your security by this amount, this is going to have this sort of cost-benefit analysis;' that kind of data is going to motivate better adoption than the absence of any data, which would be the case if we don't do the test."

Clinton wouldn't offer an estimate of how long such testing would take or how costly it would be. He suggests that industry and government share the cost of beta testing the cybersecurity framework.