This is part of an on-going look at the responses to the National Institute of Standards and Technology (NIST) latest request for information (RFI) on potential updates to the Cybersecurity Framework (CSF). A reminder, the comment period will remain open until February 9th, 2016. The previous posts in this series include:
This week there were five new responses to the RFI. This is the largest number of responses in a single week, but it is still a remarkably small number of responses. This is even more concerning because the comment period ends on Tuesday. This week’s responses came from:
Prevent Duplication of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to “prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes” as required by the Cybersecurity Enhancement Act of 2014?”
Only three of the responders addressed this question in their response. One recommended that the CSF continue to be a voluntary program until such time that there was an industry wide consensus that the Framework should be adopted. Another commenter suggested that various cybersecurity regulatory standards be included in the reference standards. The final commenter on this questions suggested that a cross-functional group (including representatives from industry and standards organizations) be formed to establish a CSF change control process
Should CSF be Updated?
NIST question 10 asks:
“Should the Framework be updated?”
The same three commenters also addressed this question. One suggested that change for change sake should be carefully avoided. A second recommended that the next update should address risk management decisions and prioritization processes in more detail. The other responded that updates should be responsive to industry feedback.
Private Sector Involvement
NIST question 20 asks:
“What should be the private sector’s involvement in the future governance of the Framework?”
Again comments on this question were only receive from the same commenters that responded to questions 9 and 10. One expressed support for continuing NIST control of the CSF process with advice from industry. Another suggested that industry support should be specifically restricted to an advisory role to avoid conflict of interests. The third commenter suggested that NIST continue with using the RFI process and holding open public meetings and workshops when updating the CSF.
Only two of this week’s commenters used the NIST spreadsheet for submitting comments. The third that responded to specific questions used a standard WORD® format with responses specifically keyed to the RFI questions. The remaining two commenters used the old-style letter format that pressed their organizational agenda rather than specifically respond to the RFI questions.
I suspect that that out-of-date response style means that what may have been legitimate and perhaps useful concerns will likely be given little consideration in moving the CSF update process forward. NIST has established a history of moving forward quickly in response to RFIs and that can only happen when specific responses are given to specific questions.
I really hope that there will be a much larger number of responses received in this last week of the response process. If we continue with the same level of response it is hard to imagine that NIST will be able to continue forward with a rigorous update process for the CSF.