Earlier this week the National Institute of Standards and Technology held their second workshop on the development of the Cybersecurity Framework required by the President’s cybersecurity executive order (EO 13636). According to various news reports the workshop drew a couple of hundred participants from various industries and cybersecurity vendors. NIST has published two of their presentations on their Cybersecurity Framework web site.
According to the workshop agenda the discussions this week were supposed to be focused on the results of the request for information (RFI) that NIST published back February. The week before the workshop NIST published their initial analysis of the results of that RFI and one of the two NIST presentations given at the workshop addressed that analysis.
The presentation initially explains the methodology that NIST used to extract, classify and collate the information provided in the over 200 responses to the RFI. Even if nothing else comes out of this framework process, NIST should develop this process into a formal tool that OMB should require to be used by all federal agencies when analyzing responses to the publication of proposed regulations when there are a large number of responses. It looks like a very effective tool and I urge NIST to publish the resulting database they developed for this RFI.
The presentation goes on to examine the results of the response analysis in some detail. The slide presentation does not provide any more information than is found in the initial analysis document. Fortunately, NIST web cast these two presentations for those of us who could not attend the workshop and a copy of that web cast will be available on the internet within the coming week for those of us who could not take time off of work to watch the live version.
Framework Development Schedule
One of the things that everyone is concerned about is how NIST intends to go about the process of developing the Framework. The other NIST presentation at the Workshop generally dealt with that topic. After providing a very generic overview of what NIST expects the framework to be they provide a time-scale for their portion of the development process (slide 6). The future dates of interest provided in that time-line include:
• Draft Initial Framework – June 2013
• 3rd Framework Workshop – July 2013
• 4th Framework Workshop – September 2013
• Publish Preliminary Framework – October 2013
This is a very aggressive schedule for any federal agency particularly one without any regulatory experience. I know that the Cybersecurity Framework is not intended to be a regulation, but it will certainly have very quasi-regulatory components. Preparing a framework that will hold up to regulatory scrutiny will be very important in the long run.
Presumably the gap between the 3rd and 4th workshops will include the development of the final draft of the Preliminary Framework and the 4th workshop will massage that draft somewhat before the final preliminary version is published in October.
NIST Framework Process
After rehashing some of the information about how NIST analyzed the RFI responses, the presentation starts to look at the process that NIST intends to use to develop the Framework. They start with a discussion of how NIST will select the components of the Framework. Slide 15 describes the selection process.
The most interesting thing about this slide (for the control system community) is found in paragraph b;
“If a candidate practice, method, or measure does not operate in support of core a EO objective then it is not considered for inclusion in the framework.”
Since the cybersecurity EO is IT-centric and does not mention control systems in any part of its discussion of the Cybersecurity Framework in paragraph 7 (presumably where the ‘core EO objective’ would be found), I wonder if this will be used by NIST as a method to avoid including control system security measures in the Framework. I certainly hope that that is not the case; a Cybersecurity Framework that does not specifically address control system security issues will provide no protections against catastrophic attacks on critical infrastructure.
It will be interesting to see how the initial draft of the Cybersecurity Framework deals with control system security issues. At this point we will just have to wait and see.