Barnett said the Cybersecurity Framework is an achievement of government-initiated, industry-led collaboration with promise for improving cybersecurity. It is important to remember the reason Executive Order 13636 was issued, which is the fact that comprehensive legislation to address cyber-security was not advancing or even proposed.
While the new framework is an advancement, it also has some limits. No mechanism exists for measuring whether companies are adopting the framework or how well they are implementing the framework, other than self-assessment. “The incentives for adoption may not be enough, and legislation would be required for really meaningful incentives,” he said. Without assessment tools and incentives, knowing whether or not the Cybersecurity Framework is working will not be easily possible. “The framework is not a standard and, in fact, references numerous other standards, allowing each critical infrastructure entity to choose those standards most appropriate to its situation,” he said.