This is the third in a series of posts about public comments submitted in response to the publication of the NIST Preliminary Cybersecurity Framework (PCSF). The earlier posts are listed below.
This last week there have been 21 new comments posted to the NIST PCSF Comment web site. The latest comments have done a much better job of using the spread sheet format for comment submission that was requested by NIST.
Interestingly there seems to be a somewhat organized effort to support certain suggested changes with a number of commenters using identical language supporting certain changes. Where I have seen this I have annotated the description of the change with the number of people that have made the suggestion (eg: ‘8x’).
Please note that my descriptions of the suggested changes are very brief and really don’t fully explain the concepts involved. Please use the provided links to see the details about the changes.
The current set of proposed changes include:
• Repeat of (8x) add three steps to the ‘Getting Started’ discussion; 1) Determine scope of critical infrastructure to protect, 2) Conduct self-assessment of current cybersecurity status, 3) Ensure continuous improvement.
• Move ‘Tiers and Profiles’ to CSF 2.0 as it needs more explanation and justification.
• Items missing: data integrity, cryptography, and cloud services.
• Include cross mapping (5x) of security standards; suggests using CSA CCM.
• Include references to the Open Group Dependency Modeling (O-DM) standard, Open Group Risk Analysis (O-RA) standard and Open Group Risk Taxonomy (O-RT) standard.
• Address CSF certification, incentives to adopt CSF and collaboration/information sharing.
• Adopt HITRUST CSF categories, authoritative sources, maturity model, controls and control elements.
• Require 2-factor authentication for any external access to critical systems.
• Specify that the scope address the delivery of ‘critical infrastructure services’.
• Expand the use of framework profiles to use as a tool to convey CSF requirements to supply chain partners.
• Suggests that the CSF is not specific enough in its requirements, allowing too much leeway in the implementation.
• Consider (3x) using SANS Quick Wins approach for breach analysis.
• Expand the definition of privacy data to be protected.
• Limit the definition of privacy protections.
• Replace implementation tiers with CERT Resiliency Management Model (CERT-RMM)
• Add NIST NICE Cybersecurity Workforce Framework as a reference
• Revise categories and sub-categories to make each distinct and sufficient to describe a specific cybersecurity activity.
• Remove the concept of Tiers and replace with a single description of the characteristics of a robust cybersecurity program
The comment period closes next Friday. Given the way these submissions are posted I expect that I will have two more posts about the submitted comments.