As promised, NIST is continuing to work on the Cybersecurity Framework (CSF). This week changes to the CSF web site reflect those continuing efforts. You have to click through a couple of links to find the actual change, but NIST will be holding another CSF Workshop next month. This one will focus on the privacy aspects of the CSF that were not fully addressed in CSF v1.0.
While privacy is not a major focus for most industrial control systems, the privacy processes will almost certainly be at least of some concern to managers of cybersecurity security programs. Part of any security program must include some form of vetting of personnel with access to computer systems. Vetting programs require the collection of personally identifiable information (PII) and thus privacy issues abound.
The current draft agenda for the April 9th Privacy Engineering Workshop at the NIST headquarters in Gaithersburg, MD does not include any specific discussion of security program privacy issues. That is not surprising since this is an engineering workshop, not a policy workshop. It will be interesting to see if the issue comes up in any of the discussions.