Keeping in mind a dynamic and changing cyber threat landscape, the National Institute of Standards and Technology (NIST) plans to have an accompanying roadmap to the forthcoming Cybersecurity Framework as a guide to future action, according to a NIST official who has been a key participant in managing the coordination of the framework.

The roadmap is important because “that’s thinking about what are the next thing we need to work on,” Adam Sedgewick, senior Information Technology Policy Advisor with NIST, said on Dec. 5 during a panel discussion at the Center for Strategic and International Studies on the emerging Cybersecurity Framework and advanced threats. Sedgewick invited stakeholders in the framework to examine the roadmap and look for ways to improve the framework “and how we should structure that work over the next years.”

A preliminary version of the Cybersecurity Framework was released in October and was followed in November by the fifth and final government and industry workshop aimed at putting the finishing touches on the guide. The framework will contain best practices for the nation’s critical infrastructures to adopt on a voluntary basis to better protect their computer networks against cyber attacks.

NIST, which has been coordinating the development of the Cybersecurity Framework, has maintained that it would be a “living document” that can rapidly evolve to meet stakeholder needs. The roadmap that will accompany the framework will outline the structure for updates.

Robert Butler, chief security officer for the data center company IO, praised the work NIST has done on the framework and for its plan to keep looking forward to improving it. Butler, who prior joining IO was the deputy assistant secretary of defense for Cyber Policy, also said the framework provides a “basis for moving forward” with boosting the cyber defenses of critical infrastructures in the United States.

Angela McKay, the principal security strategist for Global Security Strategy and Diplomacy at Microsoft [MSFT], said the creation of the framework has already had an impact with her company’s customers. She said it is “driving conversations” that haven’t occurred before at the corporate level with chief security officers and boards of directors about cyber security.

McKay also said the framework is having an impact on domestic policy for the better, including basic security “hygiene.”

Craig Rosen, chief information security officer with the cyber threat detection company FireEye [FEYE], said the framework has the “right building blocks in place,” although he would like to see a greater focus on risk management areas. Paul Kurtz, the chief strategy officer for CyberPoint International, said that the biggest cyber security challenge he sees ahead, both to the framework and in general, is related to cloud technology.

Kurtz said the cloud represent an “enormous problem” because of its complexity, adding that it “is not easily defended.”

The preliminary version of the Cybersecurity Framework is open for public comments through Dec. 13. Sedgewick encouraged stakeholders to also review the comments and provide their own analysis and comments as NIST prepares to release the first version on Feb. 12, 2014.