This week saw an interesting update of the NIST Cybersecurity Framework web site. The main portion of the page was significantly truncated, removing all of the information about the processes leading up to the publication of the Preliminary Cybersecurity Framework. Links to this information are provide in the ‘Additional Information’ section in the right-side column on the site.
Another interesting change was the addition of a link to an e-book version of the Preliminary Cybersecurity Framework. This is part of an NIST experiment in the publication of e-book versions of important documents. There is not yet an e-book standard format and NIST notes that their format will not work on all combinations of applications and devices. They have been successfully tested on “ iBooks app on an iPad2, and the Kobo and Moon+ readers on a Samsung Galaxy Tab and ASUS Nexus 7” but there may be problems on some Kindle’s®.
Almost a month ago, NIST established the web site where they will be publishing comments. To date there is nothing posted to that site. I do not think that that is because there have been no comments submitted (sorry about the double negative), but rather due to the way that NIST will be analyzing the comments. As I noted in my earlier post on the publishing of the CSF in the Federal Register, the format for submitting comments will make it very easy to compile and analyze the comments, but it would make it rather tedious for outside readers to look through all of those forms to get an idea of how the public is responding to the Cybersecurity Framework.
Personally I would rather have a chance to peruse them as they are submitted so that I could do a weekly take on what is being said, rather than have to go through them all at once at the end of the submission process. This apparent methodology of delaying the printing of the comments also limits the possibility for people to respond to previously published comments.
For those of us who could not get to this week’s workshop in North Carolina, NIST has posted links to web casts of the morning sessions made by North Carolina State University (Note: The audio portion of the presentations is poor in many places). These were mainly panel discussions, which included
• Preliminary Cybersecurity Framework Overview (Day 1; 0:22);
• Privacy and Civil Liberties (Day 1; 1:50);
• ISA Presentation (Day 2: 0:01)
• Perspectives from Telecom Sector (Day 2; 0:11);
• Adoption Considerations for the Framework (Day 2; 1:28); and
• Next Steps (Day 2; 2:21)
The only place where there is any significant mention of industrial control system security is during the ISA presentation. It focuses on the work of ISA99 Committee developing standards for cybersecurity for industrial control systems.
It would have been nice to have a web cast of the break out groups, but that would not have been practical. The problems with getting releases from all of the participants and difficulties of getting good sound from those discussions would have been problematic.