Ongoing efforts to finalize a framework for the development of voluntary cybersecurity standards for critical infrastructure industries continued in Dallas this week.  NIST led a workshop with government and private sector officials to work through the details of the draft framework published on August 28th and required under Executive Order 13636. A formal proposal will be issued for comment next month and a final framework published early next year.

This week, NIST is specifically seeking input on implementation of the framework and ideas on its next iteration─a version 2.0.  At this time the core of the draft framework is comprised of identify, protect, detect, respond and recover.  Officials commented that the draft includes a proposed methodology for privacy, but that gaps linger and they continue to look for ways to bridge those.

Interestingly, NIST officials have been shopping this week for implementers─companies or entities that may want to give the framework a test run and provide feedback.

Concerns raised so far at the workshop included the eventuality of involuntary standards. Although the Executive Order directs the development of voluntary standards, commentators at the workshop acknowledged that standards could evolve into mandates for industry.