This is the fourth in a series of posts about public comments submitted in response to the publication of the NIST Preliminary Cybersecurity Framework (PCSF). The earlier posts are listed below.
There were 51 new comments posted to the PCSF comment web site this week, more than double the number from the week before. This is still a relatively poor showing for a program that will have as wide spread an impact on such a wide range of industries. Since we haven’t yet seen comments posted from the major industrial organizations (American Chemistry Council for instance) that always comment I suspect that the last minute comments have yet to be posted to the site.
Again, please note that the summaries posted below are very broad summaries and the actual comments will provide much more detail.
The most recent set of proposed changes includes:
• Repeat of (8x) add three steps to the ‘Getting Started’ discussion; 1) Determine scope of critical infrastructure to protect, 2) Conduct self-assessment of current cybersecurity status, 3) Ensure continuous improvement.
• Expand concepts to include operational measures that have impacts on security.
• Expand citations of ISA 99.02.01 to include a parenthetical citation to the corresponding section or sections of IEC 62443 Part 2-1.
• Adopt current security planning terminology of “Identify Assets, Identify Risks, Create Policies, Implement, Monitor, Recover from an incident”.
• Differentiate between security standards for legacy devices and new installations.
• Include more requirements for the use of encryption for communications and data protection.
• Include discussion of security engineering.
• Comment that the lack of specific guidelines may make it difficult for small organizations to implement.
• Include ‘External Participation’ category to identify outreach efforts to be used by small organizations to aid in implementation of Framework.
• Address cost-benefit analysis as part of the risk assessment process.
• Identify how threat information will be shared.
• Include SC-44 (from App F, NIST Special Publication 800.53) as an informative reference.
• Add additional references including: ITU-T X.1528 - Common Platform Enumeration; ITU-T X.1520 - Common Vulnerabilities and Exposures; ITU-T X.1544 - Common Attack Pattern Enumeration and Classification; ITU-T X.1521 - Common Vulnerability Scoring System; and ITU-T X.1526 - Open Vulnerability and Assessment Language.
• Change references to Tier 1 to an unacceptable current state that needs to be improved upon, not an acceptable state.
• Add additional references including: Open Systems Interconnection (OSI) model; and ISO/IEC 7498-1.
• Include references to existing training certification programs.
• Include a voluntary self-assessment tool for determining current Tier status.
• Include discussion of the impact of HIPAA and HITECH regulations will impact Framework adoption in healthcare industry.
• Add additional references including: ANSI X9.8, X9.112 (D), X9.122 (D), X9.119, X9.117, X9.73, X9.31, and X9.62; and ISO 9564 and 16609.
• Include discussion of security layers.
• Add ‘Cyber Intelligence’ as a new category under Identify.
• Add an appendix that provides guidance on Framework implementation.
• Remove privacy appendix from current Framework.
• Include definition of ‘Framework Adoption’.
• Comment that too many of the categories are so expansive in their scope as to be unattainable.
• Limit privacy protection requirements to information assurance activities.
• More completely address privacy protection training requirements.
• Include closer ties between framework and the National Initiative for Cybersecurity Education (NICE).
• Detailed discussion of control system issues.
• Does not include a discussion of the role of insurance is risk assessment.
• Needs to address cybersecurity workforce issues including training and certification.
• Expand characterizations of potential losses in an ICS environment.
• Update references to ISA-62443-2-1.
• Should include stronger reference to use of Framework by regulatory agencies.
• Address more of the HISP Top 20 Mitigating Controls.
• Increased need for information sharing.
• Needs more emphasis on ‘security by design’ and ‘privacy by design’.
• Needs more emphasis on cryptography and digital certificates.
• Add subcategories for: "Policies to secure and protect cryptographic keys and digital certificates are established and enforced"; "Cryptographic keys and digital certificates are monitored to detect vulnerabilities and exploits"; and "Trust compromise response plan is established and implemented".
• Needs more emphasis on information sharing and taxonomy.
• Update Tier model and methodology.
• Add discussion of insider threat prevention and response.
• Detailed discussion of operational aspects of cyber intelligence.
• Detailed discussion of insider threat programs.
There are obviously other submissions that have been made that are not currently posted to the NISC comment site. That means that there will be at least one more of these blog posts in this series.