Along with publishing the Preliminary Cybersecurity Framework this week NIST published a draft agenda for the 5th Cybersecurity Workshop to be held in Raleigh, NC on November 14th and 15th. The web page for this workshop notes that:
“At this workshop, NIST will continue discussions on the implementation and future governance of the Cybersecurity Framework.”
Keeping in mind that this is just a draft agenda, presumably subject to change, it looks like there will be a fundamental shift in this workshop, more towards selling the Framework than in developing the framework. This is not unexpected since the Preliminary Cybersecurity Framework is now open for public comments.
The heart of this Workshop will be two sets of working sessions. The first set will run from 1:30 to 2:45 pm and the second from 3:15 to 4:45. The same six topics will be discussed in both sessions; it is not clear if this was set up to be a total of 2-hrs and 45-minutes of work on the topics, or if it was designed to give participants a chance to take part in two different discussions. The current proposed topics are:
• Small and Medium Business Considerations;
• How to Use the Framework;
• Voluntary Critical Infrastructure Cybersecurity Program;
• Research and Development; and
• Framework Ecosystem Development.
Additionally there will be presentations and panel discussions on topics including:
• Preliminary Cybersecurity Overview;
• Adoption Considerations;
• Industry Perspectives Panel; and
• Privacy and Civil Liberties.
Looking at these topics it is not clear why NIST claims that the target audience is:
“Critical Infrastructure Owners and Operators and cybersecurity staff. Specifically those who have operational, managerial and policy experience and responsibilities for cybersecurity, technology and/or standards development for Critical Infrastructure companies.”
It would seem that with the apparent focus on selling the Framework, it would be more beneficial to draw participants that have the ability to persuade owners of the utility of adopting and implementing the Framework. It would seem that a more appropriate target audience would be industry association representatives, industry publications and bloggers.
Perhaps we will have a better understanding of the purpose of this Workshop when the final agenda is published, probably early next month.