This morning the National Institute of Standards and Technology (NIST) Published a notice in the Federal Register (78 FR 13024-13028) requesting information in support of their development of the Cybersecurity Framework directed by the President’s Executive Order “Improving Critical Infrastructure Cybersecurity” (EO 13636).
The bulk of the request for information (RFI) is as I have described in two previous blog posts on the President’s Executive Order:
The opening paragraphs of the Supplementary Information section of the RFI are substantially different than those found in the Draft RFI published a week and a half ago. There is not a lot of new information here; mainly just a change in focus and justification for the development of the Framework. An important part of this is the following general statement of how NIST will tackle this complex task:
“As a non-regulatory Federal agency, NIST will develop the Framework in a manner that is consistent with its mission to promote U.S. innovation and industrial competitiveness through the development of standards and guidelines in consultation with stakeholders in both government and industry. While the focus will be on the Nation’s critical infrastructure, the Framework will be developed in a manner to promote wide adoption of practices to increase cybersecurity across all sectors and industry types.”
The suggestions that I made for additional questions and the modification of one question were certainly not adopted in the RFI. Since the suggestions were made just yesterday, even if NIST had been so inclined, there was not time to make changes to the RFI for today’s publication.
While the RFI provides a number of questions that NIST wants to have the critical infrastructure community address in their responses, the RFI also makes clear that any additional information the community can provide that might assist NIST in developing the framework will be appreciated. With that in mind I want to re-post the additional questions that I think should be addressed in the development of the Cybersecurity Framework. I would like to suggest that any critical infrastructure facility or organization with industrial control systems should address these questions when providing a response to this RFI.
• Does the organization maintain separate security programs for control systems and information systems or are they combined under a single manager?
• Are there significant differences in the ways in which the security programs for IT and control systems manage the risks associated with those systems?
• Does the organization utilize different standards, guidelines and/or best practices in establishing the security requirements for their IT systems and control systems?
The whole point of an RFI is to solicit public comments on the topic. Comments on this RFI may be submitted to NIST via email (firstname.lastname@example.org). Comments need to be submitted by April 8th, 2013. NIST reports that they will publish all comments received, without redaction, at http://csrc.nist.gov.
It is important that everyone in the control system cybersecurity community should take the time to read and respond to this RFI. NIST needs as much as possible from this community to ensure that the unique cybersecurity concerns of control systems be adequately addressed in the preliminary Framework being developed by NIST.
This early publication of the NIST RFI is one of the best signs that I have seen that this Executive Order might actually get implemented before President Obama leaves office. There are still a number of potential road blocks and political hurdles that must be overcome, but this is an encouraging sign.