This week the folks at NIST’s Information Technology
Laboratory (ITL) got around to posting some of the
comments that they have received on the Preliminary Cybersecurity Framework
(PCSF); at least I am hoping that the six comments are only ‘some’ of the ones
received. There is nothing earth shattering in any of the comments posted to
date, but there are some thoughtful and helpful suggestions.
The most ‘radical’ comment comes from Secuilibrium. David
Ochel suggests that the current PCSF be scrapped in favor of the proposal from Phil
Agcaoil described in Anthony
Freed’s article at TripWire.com. Apparently David had some other comments
in the NIST spread sheet format, but they did not make it to this comments
section.
John Guzman had an interesting point in his comments. He
asked why PII gets its own appendix when no other type of data protection does.
I would add that control system security deserves as much special attention in
the PCSF as does privacy.
Interestingly only three of the commentors (if we count the
missing data from the Secuilibrium comment) used the NIST spreadsheet for
submitting comments. None of the others are really complicated or long winded
so they should not be a problem for the NIST reviewers, but I hope that the
corporate lawyers that submit the typical last minute comments will use the
spread sheet. The NIST folks do deserver to get some holiday time with their
families while they are reviewing and responding to the comments submitted.
There is still a January deadline for the publication of the final CSF.
We are now half-way through the comment period. In the
remaining three weeks I expect that we will see a much larger number of
comments submitted.
Posts
No comments:
Post a Comment