This is the second in a series of posts about public comments submitted in response to the publication of the NIST Preliminary Cybersecurity Framework (PCSF). The earlier post is listed below.
This last week there have been 10 new comments posted to the NIST PCSF Comment web site. Actually, they were all posted to the site on November 25th, so it is very likely that additional comments have been submitted since then. This brings the total to a very disappointing 16 comments so far.
The comments form a very interesting spread of viewpoints. We have one comment from a hospital maintenance chief who wants to see violations of the CSF to be prosecuted as criminal violations (very unlikely to say the least). And we have a ‘good job’ comment from a college CISO. In between the two we have a number of interesting suggestions, including:
• Adding a sub-category requiring continuous monitoring of configuration baselines;
• Adding a sub-category requiring mitigation of identified vulnerabilities in security controls;
• Align the language in the PCSF with that used in the National Preparedness Goal (NPG) and System;
• Suggest the use of outcome-focused performance goals;
• Incorporate the use of data governance, risk management and compliance in the system design phase;
• Consider the use of compliance automation tools;
• Consider the security implications of ‘data-in-use’;
• Redefine ‘Framework Profile’ as the desired outcomes and ‘Framework Core’ as a list of key activities and re-order the two based upon those definitions;
• Include a discussion of the effects of uncertainty and complexity on cybersecurity; and
• Add three steps to the ‘Getting Started’ discussion; 1) Determine scope of critical infrastructure to protect, 2) Conduct self-assessment of current cybersecurity status, 3) Ensure continuous improvement.
We are beginning to see more use of the NIST spreadsheet format for the submission of comments, but it is hardly universal. Part of the problem is that some suggestions for changes or improvements are not able to be directly tied to a specific page or line in the PCSF.