This is part of an on-going look at the responses to the National Institute of Standards and Technology (NIST) latest request for information (RFI) on potential updates to the Cybersecurity Framework (CSF). A reminder, the comment period was extended and will remain open until February 23rd, 2016. The previous posts in this series include:
This week there were 37 new responses to the RFI and most of them were dated on or before February 9th, the original comment cut-off date. This lag has been fairly normal for the NIST RFI’s and is certainly due to the fact that they have to hand process these comments from emails. If NIST stays in the comment reception process they really need to come up with an automated system for receiving/posting the comments.
Since the new comment deadline is this week I expect that I will be doing these posts for at least two more weekends.
The comments posted this week come from:
Prevent Duplication of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to “prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes” as required by the Cybersecurity Enhancement Act of 2014?”
A couple of commenters recommended that the CSF continue to be voluntary in response to this question.
One commenter noted that DOD, DHS and NSA are developing separate voluntary and mandatory guidelines and approaches which makes compliance more difficult. Another commenter suggested that the CSF be used to harmonize cybersecurity regulatory development. It was suggested by yet another commenter that policy makers should collaborate with federal agencies and the private sector to prevent duplication of regulatory processes and prevent conflict with superseding of regulatory requirements. One health care commenter called for more alignment within the federal government in applying risk management principles. Another commenter suggested that regulators use CSF reporting frameworks as part of their regulatory scheme.
Continued cooperation between standards setting organizations was also suggested. One commenter suggested that a public/private sector guidance body be established.
One commenter noted that the voluntary nature of the CSF implementation was beneficial because it allowed an organization to ignore, add or eliminate processes so that the CSF would be more applicable to the organization.
Another commenter noted that NIST should expand its development of CSF profiles for different regulatory regimes or that regulators could reference the CSF in their rules. One commenter noted that Sector Specific Agencies be required to develop CSF implementation guidelines. Another commenter suggested that the CSF be expanded to an international scope. Another commenter suggested that the CSF should be expanded to include more specific measurable/observable criteria to better support regulatory reporting.
One commenter suggested that continued private sector involvement in CSF updates would ensure that the CSF does not conflict with regulatory requirements.
Should CSF be Updated?
NIST question 10 asks:
“Should the Framework be updated?”
A number of commenters (8) recommended that the CSF should continue to be updated as existing standards are updated and new standards are published. One commenter noted, however, that updates should be limited to allow for adequate implementation experience to guide future updates; this was reinforced by other commenters.
One commenter specifically recommended that health care organizations take an active role in the update process. Another commenter suggested that outdated measures should be removed. A suggestion was made that NIST and industry should work together to develop industry specific implementation guidelines. Yet another commenter suggested that there should be more public safety input into the CSF development process. It was suggested that the CSF remain technology neutral.
An equipment vendor noted that supply chain security issues need to be addressed in the CSF. Another commenter suggested that the internet of things and bring your own device problems should be addressed in the CSF. Yet another commenter suggested that high level control areas for PKI security be included. A government agency suggested that future updates should reflect all stakeholder needs.
One commenter opposed regular updates to the CSF, noting that continuity was more important in the changing field of cybersecurity.
Private Sector Involvement
NIST question 20 asks:
“What should be the private sector’s involvement in the future governance of the Framework?”
A number of commenters (10) noted that the private sector should continue to provide input on CSF improvements.
One commenter noted that the private sector should be providing input to both NIST and standards setting organizations. Another commenter noted that multiple inter-sector dependencies need to be identified. One commenter maintained that private sector involvement leads to a sustainable program. Yet another suggested that the private sector should play a critical role in the CSF governance with another suggesting that the private sector should own the CSF and its governance.
One commenter suggested that private sector input be limited to anonymized input on implementation issues.
A total of 53 responses were ultimately received by the end of the original comment period from a broad cross section of responders. This actually ended up being a pretty decent number of responses for this type of non-regulatory request for comments. I was disappointed in the relative lack of responses from security researchers as I know that a number were involved in the original process that led to the publication of the CSF; I expect, however, that they would again get involved in any change process.
Having said that, it should be noted that I did not submit any comments to this RFI. Since the questions were mainly targeted at organizations that had either used the CSF or specifically decided not to use the Framework, I didn’t think that my more philosophical comments would really be appropriate. And that may have been why we saw so few comments from individuals in response to the RFI.
I want to remind folks that the continuing analysis of the responses to the RFI that I have been doing has been limited to those responses that specifically (and clearly) addressed specific questions in the RFI. For the most part I ignored (and suspect that NIST will largely ignore) the more verbose and erudite commentaries on the CSF that were submitted by a large number of the commenters. NIST was looking for specific information and those commenters were not helpful in that regards.
A number of those non-responsive responses were more targeted at the next version of the CSF and may have been more appropriately saved for that process. There was at least one exception to this; the comments submitted by HITRUST both addressed the NIST RFI questions and provided some in depth suggestions for how the next version of the CSF should look. If you are really interested in the future of the CSF I suggest that you take a look at their lengthy commentary; I expect (and hope) that they will be actively involved in the CSF revision process.
Readers of this series of posts will realize that I am a big fan of the NIST attempts to get commenters to use the spread sheet format for submitting responses to the questions that they asked. This makes the compilation and analysis of those comments so much easier. I would like to suggest that NIST continue to work at the development of this process and include the development of a methodology of automating the reception of those spread sheets.
OMB should be actively working with NIST on developing this process of automating the collection and analysis of public comments. This would go a long way to making the regulatory process more effective and reduce the time necessary to complete the regulatory process.