None of these suggestions were incorporated into the first version of the framework. Instead, NIST greatly shortened the section dealing with privacy concerns, shifting most of that discussion to the “How to Use the Framework” section of the document. While the framework states that the “government and agents of the government have a direct responsibility to protect civil liberties arising from cybersecurity activities,” it notes that “not all activities in a cybersecurity program may give rise to” privacy and civil liberties considerations.
Commenters also suggested that NIST develop some sort of certification for companies that implement the framework. John M. Fowler, deputy information security officer for Henry Ford Health System, noted that while such certification would be voluntary, “the value derived from certification would be in the form of marketing, assurance between collaborating organizations, and selection of service providers following a thorough methodology for protecting information and systems.” NIST did not add any specific language regarding certification to the first version of the framework.
An accompanying document to the framework, called the Roadmap for Improving Critical Infrastructure Cybersecurity, does outline a plan for maintaining the framework over time. Within that roadmap is a section on “Conformity Assessment,” which states that NIST will continue to work with the private sector to ensure that companies are complying with the guidelines. However, the framework does not give any specific methods or plans for ensuring compliance.
As Greene from Symantec points out, such a mandate would exceed NIST's power. “A lot of the criticisms out there are really directed at the fact that NIST doesn’t have the legal authority to do more,” he points out. “They’re not a regulator, they can’t have any mandates, and the executive branch doesn’t have the legal authority to give good incentives.” Greene adds that while he does not discount those criticisms, they aren’t criticisms of the framework, but rather are “criticisms of the legal and political environment that we live in inside the cyber world.”
NIST stated in its press release that the first version of the framework is a “living’ document that will need to be updated to keep pace with changes in technology, threats and other factors, and to incorporate lessons learned from its use.” Stine of NIST points out to Security Management that the guidelines will inevitably change over time. “As technologies and threats evolve, the framework will need to evolve as well,” he says.