This is part of an on-going look at the responses to the National Institute of Standards and Technology (NIST) latest request for information (RFI) on potential updates to the Cybersecurity Framework (CSF). A reminder, the comment period will remain open until February 9th, 2016. The previous posts in this series include:
This week there were ten new responses to the RFI. This is almost the same as the total number that had been submitted by last Saturday, and they all came before the original deadline. This week’s responses came from:
Prevent Duplication of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to “prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes” as required by the Cybersecurity Enhancement Act of 2014?”
One commenter recommended that the Federal government should consolidate the Federal cybersecurity effort to avoid having multiple requirements from separate agencies. Similarly, another commenter suggested that if the CSF were to become the regulatory standard, that all agency regulations should be based upon that standard. On the other hand, a separate commenter noted that regulatory requirements should be included in the CSF. Alternatively, another commenter suggested that NIST should have greater outreach to Federal, State and local regulators to aid them in developing consistent regulatory schemes.
One commenter noted that as new industry and international standards are developed they should be incorporated in the CSF. Another commenter suggested that the relationship between the CSF and the NIST Risk Management Framework should be clarified.
Should CSF be Updated?
NIST question 10 asks:
“Should the Framework be updated?”
One commenter noted that the CSF should be cautiously updated to reflect changes in evolving cyber technology and the risk landscape. Another commenter suggested that the CSF needs an implementation plan and an assessment tool like DHS’ Cyber Resilience Review tool. Yet another commenter recommended that newer versions of the CSF should focus on critical areas and key mitigation plans like perimeter defense strategies.
Private Sector Involvement
NIST question 20 asks:
“What should be the private sector’s involvement in the future governance of the Framework?”
One commenter suggested that while NIST should maintain responsibility for CSF governance, ISACS should become directly involved in CSF changes. Another noted that industry Organizations like CHIME should become involved in the CSF process. One commenter suggested that the NERC CIP process has shown that a period of stability is needed between revisions of the CSF, so that lessons learned can be properly identified and incorporated.
While the number of commenters that have provided input during the initial 60-day comment period is staggeringly inadequate, the latest batch has a number of interesting and provocative ideas for NIST to consider.
I would like to point out that the majority of the comments received this week were in the CSF comment submission format. This makes the review of the comments much easier. Commenters need to realize that if their intent is to actually influence the CSF improvement process, then making it easier for the reviewers to understand and collate the responses increases the efficiency of the influence.
There were a couple of commenters that seemed to have confused the management tool that is the Cybersecurity Framework and cybersecurity regulations. The CSF is a tool that can be used to analyze the current state of an organizations cybersecurity practices and to figure out what the organizational goals in the field should be and how to achieve them. Regulatory schemes are designed to set minimum standards, establish compliance measures for those standards and ensure that those compliance standards are met. One would like to think that an organization, while having to meet regulatory requirements, would aspire to a higher standard performance. The CSF provides a tool to establish that higher performance level and outline a means to achieve that goal.
Regulatory agencies could certainly use the CSF as a tool for ensuring that their minimum standards reflect industry standards and capabilities. It also provides the necessary references for finding appropriate measurement tools to gauge the effectiveness of responses to regulatory requirements.
But, the CSF is not a regulatory framework. It was never intended to be such and would lose much of its effectiveness if it became one. Probably the greatest advantage of the CSF verses cybersecurity regulations is that it should be easier to update the Framework to reflect changes in the cybersecurity landscape than it would ever be to update regulations. In large part this is because it’s voluntary nature makes organizations much less resistant to changes in the Framework.