This morning the National Institute of Standards and
Technology (NIST) Published a notice in the Federal Register (78 FR 13024-13028)
requesting information in support of their development of the Cybersecurity
Framework directed by the President’s Executive Order “Improving Critical
Infrastructure Cybersecurity” (EO 13636).
The RFI
The bulk of the request for information (RFI) is as I have
described in two previous blog posts on the President’s Executive Order:
The opening paragraphs of the Supplementary Information
section of the RFI are substantially different than those found in the Draft RFI published
a week and a half ago. There is not a lot of new information here; mainly just
a change in focus and justification for the development of the Framework. An
important part of this is the following general
statement of how NIST will tackle this complex task:
“As a non-regulatory Federal
agency, NIST will develop the Framework in a manner that is consistent with its
mission to promote U.S. innovation and industrial competitiveness through the
development of standards and guidelines in consultation with stakeholders in both
government and industry. While the focus will be on the Nation’s critical infrastructure,
the Framework will be developed in a manner to promote wide adoption of practices
to increase cybersecurity across all sectors and industry types.”
Suggested Changes
The suggestions that I made for additional questions and the
modification of one question were certainly not adopted in the RFI. Since the
suggestions were made just yesterday, even if NIST had been so inclined, there
was not time to make changes to the RFI for today’s publication.
While the RFI provides a number of questions that NIST wants
to have the critical infrastructure community address in their responses, the
RFI also makes clear that any additional information the community can provide
that might assist NIST in developing the framework will be appreciated. With
that in mind I want to re-post the additional questions that I think should be
addressed in the development of the Cybersecurity Framework. I would like to
suggest that any critical infrastructure facility or organization with
industrial control systems should address these questions when providing a
response to this RFI.
• Does the organization maintain
separate security programs for control systems and information systems or are
they combined under a single manager?
• Are there significant differences
in the ways in which the security programs for IT and control systems manage
the risks associated with those systems?
• Does the organization utilize
different standards, guidelines and/or best practices in establishing the
security requirements for their IT systems and control systems?
Public Response
The whole point of an RFI is to solicit public comments on
the topic. Comments on this RFI may be submitted to NIST via email (cyberframework@nist.gov). Comments need to be submitted by April 8th,
2013. NIST reports that they will publish all comments received, without
redaction, at http://csrc.nist.gov.
It is important that everyone in the
control system cybersecurity community should take the time to read and respond
to this RFI. NIST needs as much as possible from this community to ensure that
the unique cybersecurity concerns of control systems be adequately addressed in
the preliminary Framework being developed by NIST.
Moving Forward
This early publication of the NIST RFI is one of the best
signs that I have seen that this Executive Order might actually get implemented
before President Obama leaves office. There are still a number of potential
road blocks and political hurdles that must be overcome, but this is an
encouraging sign.
Posts
No comments:
Post a Comment