This is part of an on-going look at the responses to the National Institute of Standards and Technology (NIST) latest request for information (RFI) on potential updates to the Cybersecurity Framework (CSF). A reminder, the comment period was extended until February 23rd, 2016. The previous posts in this series include:
This week there were 47 new responses (almost as many as had been posted in total by last week) to the RFI and all but one of them were dated after February 9th, the original comment cut-off date and one was dated after the new cut-off date. Obviously it was a smart move on the part of NIST to extend the comment period. As I noted last week, I expect that there will probably be one more of these posts to catch any additional late adds to the response list.
The comments posted this week come from:
Prevent Duplication of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to “prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes” as required by the Cybersecurity Enhancement Act of 2014?”
One commenter suggested that federal regulators map their cybersecurity regulations to the CSF as the CSF is mapped to various standards. Another commenter suggested instead that NIST conduct such regulatory mapping. Regulatory mapping was addressed by a number (6) of additional commenters.
One commenter noted that the effect of IoT on the CSF should be looked at. Another commenter suggested that there should be more emphasis on acquisition and supply chain issues.
One commenter suggested that regulators use CSF reporting as their regulatory methodology.
Should CSF be Updated?
NIST question 10 asks:
“Should the Framework be updated?”
A number of commenters (1) recommended that the CSF should continue to be updated as existing standards are updated and new standards are published.
One commenter noted that the CSF should be expanded to include cyber threats, insider threats and physical threats. Another commenter suggested that the CSF should involve more detail about technological concepts that effect implementation. Yet another suggested that the CSF should include more detail on creating a target profile. And another suggested more emphasis on state-of-the-art risk management practices. And another requested that the CSF be expanded to include product integrity and supply chain security. Another commenter suggested that medical device and industrial control systems need coverage in the CSF. Big-data and cloud privacy issues were suggested by another commenter as areas that need to be addressed.
One commenter suggested that CSF stability should be a primary concern. Another commented that reducing the frequency of updates would be helpful.
Private Sector Involvement
NIST question 20 asks:
“What should be the private sector’s involvement in the future governance of the Framework?”
A number of commenters (7) noted that the private sector should continue to provide input on CSF improvements. One commenter specifically recommended continued use of RFI’s and regional workshops.
One commenter argued that the users of the framework should provide the governance. Another commenter suggested that the private sector should provide feed-back on implementation issues.
One commenter suggested that NIST should hold semi-annual workshops to address potential changes to the CSF.
A total of 100 responses have been posted to the NIST site as of today. Fewer than half of the commenters used the either the spread-sheet format requested by NIST or keyed their responses to specific questions posed in the RFI. I really wish that the commenters that did not have the common decency to take the effort to consider how NIST was hoping to use their responses would sit down and read the 100 responses submitted to date and try to make sense of the data presented.
I am sure that a great deal of effort went into developing these 10 and 20 page responses that went into great detail about how the organization was diligently working on cybersecurity. Unfortunately, those comments were better suited to a press release than being helpful to NIST in charting the future of the CSF.
Over the last two weekends I have spent four hours reviewing responses to look for and analyze information on just three of the twenty questions. And I did not even attempt to read the responses that were not prominently keyed to the specific questions I was looking at. NIST on the other hand is going to have to peruse each of the missives to try to extract the requested information. I do not envy the NIST reviewers who will be required to review each and every submission, no matter how verbose and self-advertising.
It was interesting that out of 47 submissions posted this week, only one mentioned the fact that the CSF needs to be periodically updated to reflect revisions to the various standards referenced in the document. In the long run, I think that it was probably more important that a number of commenters noted that there should be a mapping of CSF and cybersecurity regulations. Comments went both ways; suggesting that regulations reference CSF and vice versa.
Nobody has suggested that new cybersecurity regulations have to be applied; instead they are recommending that regulated industries that are already facing security regulations have the cybersecurity provisions tied into the CSF. That way, commenters suggest, there would not be competing requirements, especially for those organizations facing multiple regulatory schemes.
I was happy to see a number of cybersecurity research organizations included in the responders this week. They had some different insights from those provided by industry organizations.