As I noted earlier, this coming week the National Institute of Standards and Technology will be holding their second Cybersecurity Framework Workshop in Pittsburgh, PA. This last week they updated their agenda for the meeting. As expected this provides a clearer indication of what will take place at the meeting and ties in the NIST analysis of comments received in response to their request for information.
After a brief introduction to the NIST Framework process and their review process for the RFI comments the workshop participants will be broken out into four groups to cycle through the below listed discussion groups. Each participant will take part in each of the tracks.
• Business of Cyber Risk
• Threat Management
• Cybersecurity Dependencies and Resiliency
• Cybersecurity Progression and Maturity: From Basics to Advanced Cybersecurity
The agenda specifically notes that attendees should expect to discuss “specific standards, guidelines, and practices identified in the RFI responses”. It would probably be a good idea (a little bit of sarcasm) to download the NIST analysis and read it before attending. I still say that it would be beneficial if NIST published the database they developed from the RFI responses. This would provide participants with better data upon which to discuss the proposals as there is no way that the participants will be expected to wade through the over two hundred responses; some of them quite detailed. Even I didn’t do that in detail.
I am disappointed that there is still no indication that NIST intends to treat control system security different than information system security in the Framework. There are too many fundamental differences between the two types of cybersecurity for them not to do so. NIST certainly has the internal technical expertise to understand this, but there has been nothing to date in their discussion of the development of the Framework that would so indicate. Maybe this will be addressed in Pittsburgh.