This is the fifth (and perhaps the last) in a series of posts about public comments submitted in response to the publication of the NIST Preliminary Cybersecurity Framework (PCSF). The earlier posts are listed below.
There were 114 new comments posted to the PCSF comment web site this week, more than double the number from the week before. Actually the number of comments per week has more than doubled every week since NIST started posting the comments. With the number of comments submitted this week, I’m going to have to cut back my comments to those that reflect control system issues.
One thing that we are seeing this week is the ‘corporate comment’ that was obviously written by lawyers. These are old-style format comments (not the NIST requested spread sheet) that speaks in generalities that are of little or no use to anyone trying to clean up or improve the Framework. I’m counting these under the ‘Motherhood’ label.
• Repeat of (7x) add three steps to the ‘Getting Started’ discussion; 1) Determine scope of critical infrastructure to protect, 2) Conduct self-assessment of current cybersecurity status, 3) Ensure continuous improvement.
• Motherhood and apple pie comments (37x). Most of these include objections to the Privacy Appendix.
• Restrict Framework (4x) to the systems and assets essential to critical infrastructure functions.
• Move the Tiers concept to CSF 2.0 after more work.
• Address the role of Sector Specific Agencies.
• Add additional function; Authenticate.
• Address identity management.
• Address security design of communications networks.
• Add more substance to industrial control system issues
• Add ‘Smart Grid’ to control system list.
• Add ISO/IEC 27002 as an Informative Reference.
• Add an Access Control category to Protect function.
Add a listing of ISACs, CERTs, public private partnerships, NIST special publications, and other resources for recovery.
Add subcategory to governance category to address vendor cybersecurity issues.
Add Secure Engineering Design category.
Add , ISO/IEC 19770-2 as an Informative Reference.
Add ANSI/AWWA 430: Security Practices for Operations and Management as an Informative Reference for water systems.
Add NIST Special Publication 800.53 Rev4, Security and Privacy Controls for Federal Information Systems and Organizations, Security Control 44 as an Informative Reference.
Add critical infrastructure criticality measurement methodology.
Add priority rankings to Core table for each subcategory.
Address updates, patches and antivirus use in control systems.
Needs to more completely address the current cybersecurity gaps identified in the various workshops.
Include reference to use of Protectced Critical Infrastructure Information (PCII) protocol for sharing information with government agencies.
Expand use of threat assessment.
Include more complete definition of ‘critical infrastructure’ to make it less ambiguous.
There is an interesting letter from Lloyds about cyber risk insurance. It is well worth reading in its entirety as there has been a lot of discussion about insuring cyber risk, but they make one, clear and definitive statement that throws that whole discussion into disarray:
“It is clear that the insurance industry’s current capacity to provide insurance coverage for cyber risk is insufficient to meet the anticipated size of the risk.”
Essential Problem with CSF
Jack Whittsitt has a very detailed letter about the current state of cybersecurity, the ineffectiveness of current ‘Best Practices’ and the short comings of the CSF. I urge anyone concerned with cybersecurity to read Jack’s letter submitted to NIST.
Guidance to Legislators
There is a very interesting comment provided by Southern California Edison about state legislatures getting involved in the cybersecurity process. They note:
“If state legislatures and regulators begin independently addressing cybersecurity concerns inconsistent approaches, the lack of cohesion could actually reduce our overall defenses.”
The same could, of course, be said for the Congress, but the Executive Branch has a notoriously hard time controlling them. The proposed solution calls for providing “guidance to state legislatures and regulators regarding how to view the framework and their role with respect to the Framework.” I would love to see how that works out (tiny bit of sarcasm).
A number of commenters have at least partially addressed the relative lack of coverage of insider attacks in this CSF. One of the broadest statements on this is worthy of a blog post all of its own. It comes from Absio:
“Environmental controls are essential but alone they cannot mitigate the insider problem—and data loss is essentially always an insider problem. Whether attackers get inside via a perimeter breach (hacking or phishing, social engineering) or by invitation (Manning, Snowden), it is from the inside that they do their damage.”
The Big Problem with PCSF
One of the best short-form commentaries on the shortcomings of the PCSF that I have seen comes from the comments submitted by the Department of Defense:
“This framework may be written at too high a level to be executable at the company level. NIST SP 800-37, the Risk Management Framework, is written at a level that can be executed by industry individuals not well-versed in risk management principals.”
A large proportion of the commenters, and certainly the vast majority of those with specific change suggestions, used the spreadsheet format suggested by NIST in their RFI. With the large number of comments (and some were quite lengthy running to 30+ pages on occasion) this format will make it much easier for NIST to process and review the suggestions. Again, NIST is leading the way among government agencies in innovating the way that it interacts with the public and processes the ideas submitted to it.
The last comment posted to the comment page was placed their on December 20th, a full week after the close of the comment period. It is not clear if that delay was due to it being a late submission or whether NIST handling issues delayed the posting. We’ll have a better understanding of that as we see if additional comments are posted in the coming weeks.
I am still surprised that there hasn’t been more of an outcry about the short time frame that NIST provided for the comment process. On a program of this significance I would normally expect at least a 90-day comment period, not one of 45 days. This is especially true since the comment period included Thanksgiving and December is frequently a time of reduced staffing throughout industry and government.