Yesterday the National Institute of Standards and Technology updated their Cybersecurity Framework web site to provide links to three new documents related to the President’s cybersecurity executive order (EO 13636). They just made their self-imposed deadline for getting the information out, but there should be adequate time for participants at the next Framework Workshop (to be held in San Diego) to review the documents and determine what specific changes they would like to see before the July 10th meeting.
The three documents are:
• Draft Framework Core; and
The Draft Framework
Actually this would be more accurately called a format for the Framework. There is some possible language in the document that might find its way into the Draft that will be submitted to the President this fall, but it is boilerplate language. Much of that language is a rehash of the President’s requirements for the Framework taken from the EO.
The parts of this document that will likely survive intact (in format anyway) to appear in the Draft Framework are found in links included in the document. Many of these are spread sheets and .PDF documents to be used by organizations implementing the Framework and will act as an implementation record for those organizations. The linked documents include:
• What Every CEO Should Know About IT Security (an eBook);
• DHS Cybersecurity Questions for CEOs (flyer);
• More Intelligent, More Effective Cybersecurity Protection (Business Roundtable Report);
• Function Matrix Shell (spreadsheet explanation);
• Draft Framework Compendium (embedded spreadsheet: Standards and information sources for cybersecurity);
• Framework Implementation Levels (Example for Framework data recording);
Draft Illustrative Framework (embedded spreadsheet: Example of linking standards and information sources to implementation tasks); and
There is a long way to go to get from this document to a Draft Cybersecurity Framework this fall. I suspect that there will be significant changes to the documents format and a great deal of fleshing out of the details. I wish them the best of luck at the upcoming Cybersecurity Framework Workshops.
Having perused this document and various embedded and linked publications I feel a lot better about industrial control systems being included in the Framework coverage. There are numerous references to NERC CIP documents in the Compendium (I know; CIP is not strictly speaking a control system program, but it does include significant control systems mandates. And the Glossary definition of ‘Cyber Environment’ specifically includes a mention of ‘control systems’.
Having said that, this document demonstrates that the focus (but not the exclusive focus) of the Framework will be targeted on information security. I am afraid that the amount of attention that will be addressed at control system security issues will minimal and ineffectual at best.