This week NIST updated their proposed draft for the Cybersecurity Framework that will be the focus of the upcoming Cybersecurity Workshop (#3) in San Diego. The changes came just about a week after the original draft was posted.
The changes are mostly word-smithing; the most common change is replacing ‘cyber risk’ with ‘cybersecurity risk’. The change in wording seems to be relatively minor but they almost certainly reflect some serious political responses to the first draft. The fact that NIST responded with changes so quickly (a one-week turnaround is unheard of) indicates the level at which those responses occurred.
I am not sure which bothers me more at this point; the fact that there is already this level of political interference into what should be a mainly technical discussion at this point, or that the leadership at NIST so badly read the politics of this process that they didn’t vet this document with the White House before issuing it. Both of these bode ill for the further development of a useful Cybersecurity Framework.