As most people concerned with cybersecurity are well aware, the National Institute of Standards and Technology published the Framework for Improving Critical Infrastructure Cybersecurity on Wednesday. In a very real way there is nothing new in the Framework; it was designed to be a compilation of existing standards brought together in a way that would be more accessible to an organization wishing to evaluate and improve its cybersecurity profile.
The big benefit of Framework is that it puts much of the cybersecurity problem in language that most business executives are comfortable with and understand. The Framework Core (Appendix A) breaks cybersecurity down into five functional areas (Identify, Protect, Detect, Respond, and Recover). In turn, each of those is broken down into Categories (actions to be taken in each functional area) and Subcategories (management tasks that would be undertaken to support the cybersecurity mission of an organization).
To this point in the Framework Core, everything is written in language familiar to most business executives with little or no cyber-expertise needed. The only real technical information provided in the Framework is the listing (Informative References) of the various existing cybersecurity standards (down to the section or paragraph level) that support each of the Subcategories in the Core.
This list of ‘Informative References’ is not designed to be comprehensive. It only lists information from six documents:
• CCS CSC;
• COBIT 5;
• ISA 62443-2-1;
• ISA 62443-3-3;
• ISO/TEC 27001; and
• NIST SP 800-53
A separate, more comprehensive listing of documents that provide some sort of technical information on cybersecurity programs is available [EXCEL download link] on the NIST web site. There is no indication on the NIST web site that this Compendium is being maintained as a current, up-to-date comprehensive listing of cybersecurity programs.
There are a couple of major shortcomings with the Framework. First by design it is a completely voluntary program. The President has not been given the legislative mandate to create a critical infrastructure cybersecurity program, so he does not have the general authority to mandate that this program be implemented. There are ongoing discussions within the Administration to determine which limited areas current legislative authority has been given that might be applied to the Framework.
The second drawback is that this is a management document, not a technical document. Even the six standards that are listed in the Informative References column are more cybersecurity management documents than detailed technical descriptions of how to implement the specific controls that will actually secure the various aspects of an organization’s cyber assets. Again this is by design as no single document could possibly identify the technical details and be of useable size or remain up-to-date past the time it was drafted much less published.
An organization is still going to have to have access to the technical expertise to put the management guidance provided in the Framework into practical application. What is missing in this document (and realistically can’t be put into such a document) is some method of ensuring that there is adequate communication between management and the technical expertise to allow for a proper assessment of the organization’s specific risk and the resources necessary to mitigate that risk.
The final problem with the Framework is that it exists in an informational vacuum. There are no mechanisms in place for the sharing of operational information or intelligence information that would allow organizations to adapt to the changing cybersecurity environment. Again, this is due to the lack of congressionally provided authority to establish and maintain the information sharing mechanisms that would make such an adaptation process viable.
The Framework does not exist in a vacuum. As I mentioned in an earlier post DHS is establishing a program to support organizational implementation of the Framework by critical infrastructure organizations. In the coming weeks and months I would assume that we will see other federal programs addressing how they will support implementation of the Framework by the critical infrastructure organizations that they support and or regulate.