Barrett-Matt-Fed100Matt Barrett of the National Institute of Standards and Technology (NIST) Discusses the NIST Cybersecurity Framework and Adaptive Cyber Defenses. Learn how the Framework is evolving and how your organization can use it in this interview with ActiveCyber.

Matt and I crossed paths at a conference many years ago and I have always held his professional and personal acquaintance in high regard. When Executive Order 13636 was announced and I learned that Matt was taking the lead for it at NIST, I knew whatever NIST came out with was going to be good and so I was delighted when Matt agreed to this interview on the Cybersecurity Framework with ActiveCyber. Work on the Framework started over two years ago and it is still evolving. Discover how the Framework aligns with active cyber defenses and why it is important to all organizations. Learn how you can have an impact on the future of the Framework in the interview that follows.

Spotlight on Matt Barrett, Program Manager NIST

» Title: Program Manager at National Institute of Standards and Technology, Gaithersburg, MD
» Email: matthew.barrett@nist.gov
» Website: http://www.nist.gov/cyberframework/
» Linkedin: https://www.linkedin.com/in/matt-barrett-80459822
Read his bio below.


February 5, 2016

Chris Daly ActiveCyber:  Can you provide an overview of the evolution of the Cybersecurity Framework since being directed by Executive Order 13636 to “…enhance the security and resilience of the Nation’s critical infrastructure…?”

Matt Barrett, NIST:  One of the things the Cybersecurity Framework development process showcased is the time-tested NIST collaborative process. Allowing all parties to communicate their needs, and working toward a solution that satisfies as many of those needs as possible is standard operating procedure for NIST.

For Framework, we accomplished this through many collaborative mechanisms, including but not limited to two (2) requests for information, five (5) workshops in five different cities, and one (1) draft Framework publication. Throughout this process, NIST:

  • convened critical infrastructure owners & operators, government, and academia,
  • facilitated communication amongst collaborators, and
  • provided guidance to shape those thoughts into the Cybersecurity Framework.

Framework version 1.0 was released on 12 February 2014. This began an era of “understanding and use” for Framework. NIST supported that industry activity through outreach and general education.

Across a wide variety of topics – SCRM, privacy, system security engineering, critical infrastructure security – NIST is currently collaborating with both public and private sector stakeholders. NIST’s collaborative approach is more important than ever as Department of Commerce considers the long-term maintenance and evolution of Framework.

ActiveCyber: What are the key components of the framework and how should they be applied 1) to enable visibility into an enterprise security posture; and, 2) to support decision-making for prioritization of cyber initiatives?

Barrett: The key components of the Framework are the Core, Profile, and Implementation Tiers. The Core is the vocabulary or lexicon of Framework, authored as discrete cybersecurity outcomes. A Profile is a sector, subsector, or organizational adaptation of the Core. Implementation Tiers are a qualitative scale from Partial (1) to Adaptive (4) representing an organization’s cybersecurity risk management practices. A recommended way to use Profiles is to transpose mission objectives and priorities into the standardized set of cybersecurity objectives represented in the Core. This prioritization becomes the basis for an as-is assessment to determine enterprise security posture. It also can be used to support prioritization and decision-making for various cyber initiatives.

ActiveCyber: Can you briefly explain the concepts of maturity models and implementation tiers and how they may be used by adopting organizations?

Barrett: One key feature of Tiers is how they enable trade-off decisions. There is a cost to being “a 4” versus “a 3,” and there is a corresponding operating risk with each level of cybersecurity risk management. The Tiers can be used to decide when it is appropriate for one part of your organization to operate as a 3, such that resources can be made available for another part of your organization to operate as a 4.

ActiveCyber: How does adaptive / active cyber defense fit into the Cybersecurity Framework (example, Implementation Tier 4)?

Barrett: Some hallmark properties of a Tier 4 organization are:  it manages “its cybersecurity practices based on lessons learned;” and, “continuous awareness of activities on” systems and networks. Active cyber defense turns continuous awareness into lessons learned, and then into practice in near-real time. An organization that utilizes active cyber defense is well prepared to become a Tier 4.

ActiveCyber: What has been the rate of adoption of the framework over the last two years and what types of benefits have CIKR organizations reported?

Barrett: I will let Gartner speak for this. Gartner states: “By 2020, more than 50% of organizations will use the NIST Cybersecurity Framework, up from the current 30% in 2015.” Gartner Inc. https://www.gartner.com/user/registration/webinar?resId=3163821&commId=180719&channelId=5500&srcId=1-3931087981

ActiveCyber: How are you measuring the effectiveness of the Framework in its ability to positively impact cybersecurity for CIKR organizations?

Barrett: Direct and quantitative measurement of risk reduction is very complicated. Modern enterprises and their cyber risk management programs are incredibly complex. This means an aggregate measure of risk reduction is attributable to many many factors. For that reason, we prefer to measure the positive effects of Framework (just one of many factors that may have changed in an enterprise in a given period of time) via user stories (aka anecdotal) of the value they receive from the Framework. User stories, as conveyed directly to NIST and our Federal partners, as well as media quotes regarding use and effectiveness provide a lot of indications of the positive impact of Framework on cybersecurity.

ActiveCyber: How do enterprises get started in using the framework? Are there incentives or forums for enterprises to share lessons learned, profiles, or other artifacts to bootstrap other CIKR companies that are less mature?

Barrett: To gain an understanding of Framework, check out upcoming events where NIST is speaking about Framework, and review the Industry Resources cataloged at the Framework Web page. Both upcoming events and Industry Resources can be found at http://www.nist.gov/cyberframework/

When organizations are ready to apply Framework, focus first on the Business Environment, Governance, and Risk Management Strategy Categories, then move on to the rest of the Framework Core.

ActiveCyber: One of the expressed objectives for the framework is to provide a common language for communicating security risks. Given this objective, what is the rate of ISACs’ and other cybersecurity forums’ adoption of the Framework?

Barrett: There is no specific rate of adoption to report. That said, NIST has interacted with many ISACs and those moving ahead with the ISAO construct. There is a favorable view of Framework within those information-sharing communities, as well as a wide variety of trade organizations that facilitate translation amongst organizations.

ActiveCyber: What are the high priority items for NIST to improve or enhance the framework? What is the timeline for these improvements?

Barrett: We have requests for additional guidance on Implementation Tiers and also for the addition of Cyber Threat Intelligence to the structure of the Core. If NIST continues to hear these stances expressed in the current request for information responses, we will likely move forward with these updates. Responses to that RFI are due at 5PM ET on 9 February 2016.  UPDATE – Matt reports that the deadline for responses has been changed to 23 February 2016.

ActiveCyber: Where can enterprises learn more about the Framework or receive help in implementing the Framework?

Barrett: Check out upcoming events where NIST is speaking about Framework, and review the Industry Resources cataloged at the Framework Web page. Both upcoming events and Industry Resources can be found at http://www.nist.gov/cyberframework/ All parties are welcome to direct questions or comments to cyberframework@nist.gov.


Looks to me that the Cybersecurity Framework is a critical guide for improving our cyber defenses and providing a common point of reference for helping to make risk-based decisions for cyber investments. Thanks Matt for all the good work that NIST has done to bring this to us and ActiveCyber looks forward to future revisions to the Framework as it continues to evolve.

And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at ActiveCyber.

About Matt Barrett

Matt Barrett is an outcomes-oriented executive who has been an engineer, a Fortune 100 consultant, a Federal contractor, and a Federal employee. These stations in his career have enabled him with a very broad perspective on people and business. Mr. Barrett currently serves as Program Manager for the NIST Cybersecurity Framework (“Framework”) to fulfill Presidential Executive Order 13636 – Improving Critical Infrastructure Cybersecurity. The Framework provides an information security program management lexicon, expressed in terms of cybersecurity outcomes. Mr. Barrett leads the program through program planning, team oversight and coordination, and outreach to industry and Federal organizations seeking to learn more about the Framework. Other recent roles include managing NIST’s Security Content Automation Protocol (SCAP) program. These program roles draw on nearly 20 years of fiscal successes managing profit centers in multi-billion dollar multi-national companies and 100 person small businesses.