As just about anyone who comments on cybersecurity issues has noted on a wide variety of social networking outlets the last couple of days, the folks at the NIST Information Technology Laboratory (ITL) published the promised Discussion Draft of the Preliminary Cybersecurity Framework. The tweaking of this document will be one of the prime activities that will take place next month at the 4th Cybersecurity Framework Workshop in Dallas, TX.
Actually the ITL folks have been much more prolific than that. There are actually four new discussion draft documents posted to their Cybersecurity Framework web site as well as an updated draft agenda for the Dallas Workshop. The four new discussion draft documents are:
• The Executive Overview;
• A collection of Illustrative Examples;
• A control system specific illustrative example, an ICS Profile for the Electrical Subsector.
Each of the above documents deserve detailed examination and I’ll probably comment on them in more detail (particularly the last document) in future posts. Today I’ll take a quick look at the new draft agenda focusing on the changes from the previous version posted earlier this month. There are no real changes to the agenda, just a fleshing out of some of the details.
The previously ‘to be determined’ panel discussions have now been identified:
• Threat Panel (9-11 am) – a discussion of “how threat information can inform the development of the Cybersecurity Framework and how it can be utilized in an organization’s risk management process”;
• Insurance Panel (9-12 am) – a discussion of “the current state of the cybersecurity insurance market, how the Cybersecurity Framework could help insurance carriers grow the first-party market and be incorporated into underwriting/brokering processes, and anticipated challenges that may arise”;
• Cross-sector Panel (9-12 am) – a discussion of the “applicability of the Cybersecurity • Framework to a range of diverse sectors and organizations”; and
• Implementation Panel (9-13 am) – a discussion of “the harmonization of existing practices and standards with the Cybersecurity Framework”.
The breakout groups that will form the working sessions have also been identified:
• Framework Presentation and Tools;
• Framework Implementation Tiers;
• Framework Governance;
• Areas for Improvement for the Cybersecurity Framework;
• Executive Engagement; and
• DHS Voluntary Program
It certainly looks like an interesting workshop and I look forward to being able to participate.