Earlier this week NIST did a complete revamp of their Cybersecurity Framework (CSF) home page. There is less information directly on the page but there are still active links to all of the developmental information from the old site.
It looks like NIST is getting ready for the publication of the final version of CSF. No word yet when that will be (to be fair the comment period just ended a little over a week ago) but the deadline that was established in EP 13636 was one year or February 19th, 2014. That deadline does not carry the force of law; the Director of NIST only has to keep his boss, the Secretary of Commerce, happy. In this case that means the keeping the President satisfied that work is progressing with reasonable dispatch.
We’ve already seen how much the President is holding the chemical folks to their deadlines on the Chemical Safety and Security EO, or the National Archives and Records Administration on the Sensitive But Unsecure Information EO deadlines. If NIST can get a document into the Federal Register by June, the President will probably be real happy. Unless, of course there is a major critical infrastructure breach, then all bets are off.
QUESTION: Why isn’t 40 million compromised bank accounts (ala Target) a major breach? It’s only money.