This week the folks at NIST’s Information Technology Laboratory (ITL) got around to posting some of the comments that they have received on the Preliminary Cybersecurity Framework (PCSF); at least I am hoping that the six comments are only ‘some’ of the ones received. There is nothing earth shattering in any of the comments posted to date, but there are some thoughtful and helpful suggestions.
The most ‘radical’ comment comes from Secuilibrium. David Ochel suggests that the current PCSF be scrapped in favor of the proposal from Phil Agcaoil described in Anthony Freed’s article at TripWire.com. Apparently David had some other comments in the NIST spread sheet format, but they did not make it to this comments section.
John Guzman had an interesting point in his comments. He asked why PII gets its own appendix when no other type of data protection does. I would add that control system security deserves as much special attention in the PCSF as does privacy.
Interestingly only three of the commentors (if we count the missing data from the Secuilibrium comment) used the NIST spreadsheet for submitting comments. None of the others are really complicated or long winded so they should not be a problem for the NIST reviewers, but I hope that the corporate lawyers that submit the typical last minute comments will use the spread sheet. The NIST folks do deserver to get some holiday time with their families while they are reviewing and responding to the comments submitted. There is still a January deadline for the publication of the final CSF.
We are now half-way through the comment period. In the remaining three weeks I expect that we will see a much larger number of comments submitted.