Happy Friday, federal friends! I hope you all enjoyed your long weekend and short work-week. We're cruising through February here at the global HQ in Beantown, with a big office move scheduled for early March. I hope most of you have begun to thaw out and for those of you out there having a similar winter to New England, think warm thoughts (it helps).
There was a nice article on Inside Security regarding NATO's take on the Framework released by NIST last week. The NATO Cooperative Cyber Defense Centre of Excellence thinks this step by NIST is a great way to start building the bridge for both federal agencies and industry to collaborate on the threats they see. While the center hasn't given the Framework a full assessment, it does see the positive strides taken by the US Government. The center's spokeswoman went as far as saying this could be a potential model for other member nations to follow. While there is still a lot of work to be done in order to bring the private and public sectors together, the roadmap is in place for the process to begin. Looking further along the line, it's easy to ascertain that alliances like NATO can aid in these types of frameworks and compliances by having its member nations adopt similar cyber-strategies, and sharing their results with other allies.
Additionally there is now a social-network available for a wider audience to share cyber-threat information and tactics. Much like the NIST Framework, the amount of information that organizations can share is entirely voluntary and what they want to disclose is completely up to them. The ActiveTrust platform, from Internet Identity, has been used for the last year by several federal agencies and other enterprise organizations. The aim going forward is to open this up to the private and public sectors but for now is focused on large Fortune 500 companies and federal agencies. Also, each organization is vetted prior to being accepted into the program. Should this be adopted by a larger audience this would be a step in the right direction following the EO from last year.
While the groundswell of positive feedback is continuing for NIST, the proof will be in the pudding. The true measure of success won't be seen in the near-term, but there are positive benchmarks they should look for. The first true benchmark being adoption of these recommendations by both sectors. Additionally there needs to be traction in the information sharing department. The IID platform is a good start, but severely limited in scope, given the rash of smaller companies being breached globally. Focusing on Fortune 500 and federal agencies is great as they are targeted more than most, but by leaving out the smaller private organizations we still leave a gaping hole in understanding the true threat landscape. Getting all facets of the economy on board will help to ensure that best practices are being adopted by government and industry nationally as well as globally, ultimately making us all a little more secure..