Earlier this week the National Institute of Standards and Technology published a brief update about the development of the Cybersecurity Framework on their web site. The update provides a brief discussion of where the process currently is and how NIST intends to get to the required publication of the Framework. This is part of NIST’s commendable attempt to keep the cybersecurity community engaged in the process.
Cybersecurity Framework Elements
The important new information in this update is a listing of the elements that NIST intends to include in their draft Framework. While most of this was outlined in the President’s Executive Order (EO 13636), this update provides a little more meat to the bare bones provided by the President. Abstracting that information further, the NIST Framework will:
• Identify effective existing practices to inform an organization’s risk management decisions;
• Provide a modular and flexible approach to enable organizations to relate cybersecurity needs to diverse sector and organization business drivers;
• Reinforce cybersecurity risk management as it relates to the enterprise risk management processes of an organization;
• Provide a means for an organization to express the maturity of their cybersecurity risk management practices;
• Include workforce considerations; and
• Address the need for organizations to manage the various types of dependencies, including those related to providers, processes, and technologies.
The brief discussion of the workforce considerations deserves special emphasis. This document makes it clear that the Cybersecurity Framework will address to separate levels of training requirements. First there will be the general awareness of cybersecurity requirements that all personnel with access to the critical cyber-systems will have to undergo. Interestingly the update makes it clear that the ‘all personnel’ should include “employees, partners, and customers” that have system access.
The second level of training will have to focus on ‘cybersecurity personnel’. The update notes that “the cybersecurity workforce must be trained and must maintain the skills necessary to understand the operating environment, the threats and vulnerabilities to that environment, and the practices available to combat those threats and vulnerabilities” (pg 2). The development of this type of training is one of the areas that NIST should stress in their proposed Federally Funded Research and Development Center (FFRDC). At the very least there is going to have to be some sort of federal support and guidance in the development of this professional workforce training program.
NIST Still Looking for Information
The update makes it clear that NIST is not done with the information collection phase of its process development (and hopefully this indicates the realization that such information collection efforts will have to continue to be an integral part of the Framework). Specifically NIST is looking for additional input in the following areas:
• The identification and availability of foundational cybersecurity practices;
• The actionable expression and management of privacy and civil liberties needs;
• The availability of outcome-oriented metrics that leaders can use in evaluating the position and progress of the organization’s cybersecurity status; and
• The mechanisms to enable critical dependency analysis for supply chains based on mission/business function.
The update reiterates the previous report that NIST will have an outline of the draft of the preliminary (this will certainly be a working document given all of those qualifiers) Cybersecurity Framework available by the end of the month; which means this coming week. All of this lead up to the 3rd Cybersecurity Framework Workshop to be held in San Diego, CA on July 10th and 12th.
NIST expects this Workshop to result in an initial draft of the Framework to include “a corresponding list of standards, guidelines, and practices that are currently being used by industry” (pg 2). We can only hope that the Framework being developed includes a methodology for keeping that list updated with revisions and new standards as the cybersecurity field continues to grow and mature.
NIST recognizes that everyone with an interest in, or input for, the development of the Cybersecurity Framework will not be able to attend the Workshop in San Diego. They are encouraging folks who cannot attend to provide their input via email (firstname.lastname@example.org).