Almost a month has gone by and we are just now seeing the National Institute of Standards and Technology (NIST) posting comments to their latest request for information (RFI) on potential updates to the Cybersecurity Framework (CSF). A reminder, the comment period will remain open until February 9th, 2016.
As of this morning there are only three responses posted to the RFI Response site. They come from:
Before looking at the actual responses, I would first like to take a look at the reason that NIST has suggested that the comments to the RFI should be submitted using the provided spread sheet submission form on the RFI web site. This is a technique that NIST established in their earlier RFI submissions.
If you look at the three submissions available today, only one of them uses the spread sheet. In the first submission it is very hard to actually find the comments from Mr. Marks as he has appended them directly to the questions with no visual separation. The submission from Cybernance uses a similar format, but provides visual separation which makes the responses easy to identify and read. Finally, the Esterline submission uses the NIST spread sheet which not only makes it easy to identify and read the response, but it makes it easier for NIST to abstract the comments to a review/response database.
The whole point of responding to a request for information like this is to have one’s voice heard in the most effective manner possible. NIST has come up with a technique that makes this easier for them to evaluate the responses, and at the same time is relatively easy for the responding community to use. Not only do I think that the public should use this particular response form for replies to this RFI, but other agencies should consider employing the same technique when soliciting public comments on RFI’s and rulemakings.
Prevent Duplication of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to “prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes” as required by the Cybersecurity Enhancement Act of 2014?”
Only one commenter addressed this question with a fairly succinct: “Form a single body for the US gov't that has a singular standard system.”
Should CSF be Updated?
NIST question 10 asks:
“Should the Framework be updated?”
All three commenters generally agreed that the CSF should be updated regularly. One commenter suggested improving ability to access the referenced controls. Another suggested upgrading the ‘Profile’ section to aid charting a path forward to improving cybersecurity. The third suggested that the CSF should better reflect differences in response based upon organization size.
Private Sector Involvement
NIST question 20 asks:
“What should be the private sector’s involvement in the future governance of the Framework?”
All three commenters strongly supported continued involvement of the private sector. One noted that in particular organizations like the FS-ISAC (presumably including all information sharing and analysis centers) should be involved.