This is part of a detailed look at the recently published Discussion Draft of the Preliminary Cybersecurity Framework (PCF). The NIST Information Technology Laboratory (ITL) published this and supporting documentation to their web site during the week of August 28th in order to allow for public comments and preparatory work for the 4th Cybersecurity Framework Workshop in Dallas, TX next week. The other posts in the series are:
Section 4 of the Discussion Draft addresses a number of issues for future action in support of the requirements set forth in §7(b) of Executive Order 13656. The Draft identifies the following areas “that should be addressed through future collaboration with particular sectors and 353 standards-developing organizations” (pg 11):
• Automated Indicator Sharing;
• Conformity Assessment;
• Data Analytics;
• International Aspects, Impacts, and Alignment;
• Privacy; and
• Supply Chains and Interdependencies
Since the third item appears to be related to something akin to regulations, a major concern of industry, I would like to use this post to address ‘Conformity Assessment’.
Private Sector Assessments
The discussion in §4.3 (pg 12) makes it clear that NIST is not referring to government assessments as part of a regulatory scheme. It starts the discussion off with the following statement:
“Industry has a long history of developing conformity assessment programs to meet society’s needs.”
And it closes the discussion with the following statement:
“Critical infrastructure’s evolving implementation of Framework profiles should drive the identification of private sector conformity assessment activities that address the confidence and information needs of stakeholders.”
Programs like the ISO 9000 quality assessment or The American Chemistry Council’s Responsible Care chemical safety program are the types of assessments to which the Discussion Draft is referring as examples of private sector assessment programs.
Conformance vs Security Debate
There has been a long standing debate in the security community about the differences between conformance to standards and actually instituting adequate security. There is a belief common in security professionals that conformance standards promote a culture of check lists and doing just what is necessary to get ‘approval’. I don’t know that anyone has ever done a real study on the relationship between standards conformance and whether or not an organization takes additional security (safety, quality, whatever) measures not required by the standards organization.
The other side of that is that even if there is a tendency to resort to check list security as a result of establishing a cybersecurity assessment program will that improve the general level of cybersecurity in an industry? Will organizations that do not currently have an effective (or any) cybersecurity program make real improvements (if perhaps less than optimal improvements) to their cybersecurity posture as a result of trying to achieve a minimum level of cybersecurity certification?
Right now the answers to these types of questions will largely be apocryphal. The only real user level cybersecurity standard (with assessment) that I know of is the NERC CIP program and I haven’t heard of anyone doing any real studies of the efficacy of that assessment process. It would be interesting to have either NIST or NSF conduct such a study.
Assessment as an Incentive
The reason that most organizations take part in voluntary assessment programs is that it is good for business. Initial organizations that join these standards assessments do so to differentiate themselves from their competition. As more organizations join the programs it becomes a defensive measure as customers begin to ask why a vendor doesn’t take part in the programs with the unasked question; what are you hiding?
Since the Cybersecurity Framework is specifically targeted at high-risk critical infrastructure organizations and facilities people are, over time, going to expect some sort of statement of compliance from such organizations. This will, of course be limited to some extent since DHS is not expected to announce what organizations are going to be targeted by this program. Even so, there will be some obvious facilities and organizations that will be assumed to be on the List (even if they may not be) so there will be an expectation of a need to comply with the Framework.
As cybersecurity becomes more of an obvious need (almost certainly after a publicly successful attack on an industrial control system) more organizations will be expected by the business community to need to comply with the Framework. The best way to gain recognition for compliance will be through one of these compliance assessment programs.
As the Framework advances (and I still have some doubts about the completion of this process) I think that we will start to see industry organizations developing assessment programs to support facilities that will be expected to comply. I would not be surprised to see the American Petroleum Institute or ACC be among the early implementers. And NERC might be expected to adapt their CIP assessment process to more nearly include the Framework.