As I
noted earlier, this coming week the National Institute of Standards and
Technology will be holding their second Cybersecurity Framework Workshop in
Pittsburgh, PA. This last week they updated
their agenda for the meeting. As expected this provides a clearer
indication of what will take place at the meeting and ties in the NIST
analysis of comments received in response to their request for information.
After a brief introduction to the NIST Framework process and
their review process for the RFI comments the workshop participants will be
broken out into four groups to cycle through the below listed discussion
groups. Each participant will take part in each of the tracks.
• Business of Cyber Risk
• Threat Management
• Cybersecurity Dependencies and
Resiliency
• Cybersecurity Progression and
Maturity: From Basics to Advanced Cybersecurity
The agenda specifically notes that attendees should expect
to discuss “specific standards, guidelines, and practices identified in the RFI
responses”. It would probably be a good idea (a little bit of sarcasm) to
download the
NIST analysis and read it before attending. I still say that it would be beneficial
if NIST published the database they developed from the RFI responses. This
would provide participants with better data upon which to discuss the proposals
as there is no way that the participants will be expected to wade through the
over two hundred responses; some of them quite detailed. Even I
didn’t do that in detail.
I am disappointed that there is still no indication that
NIST intends to treat control system security different than information system
security in the Framework. There are too many fundamental differences between the
two types of cybersecurity for them not to do so. NIST certainly has the
internal technical expertise to understand this, but there has been nothing to
date in their discussion of the development of the Framework that would so
indicate. Maybe this will be addressed in Pittsburgh.
Posts
No comments:
Post a Comment