Earlier this week the National Institute of Standards and
Technology published a
brief update about the development of the Cybersecurity Framework on their web site. The update provides
a brief discussion of where the process currently is and how NIST intends to
get to the required publication of the Framework. This is part of NIST’s
commendable attempt to keep the cybersecurity community engaged in the process.
Cybersecurity
Framework Elements
The important new information in this update is a listing of
the elements that NIST intends to include in their draft Framework. While most
of this was outlined in the President’s Executive Order (EO 13636), this update
provides a little more meat to the bare bones provided by the President.
Abstracting that information further, the NIST Framework will:
• Identify effective existing
practices to inform an organization’s risk management decisions;
• Provide a modular and flexible
approach to enable organizations to relate cybersecurity needs to diverse
sector and organization business drivers;
• Reinforce cybersecurity risk
management as it relates to the enterprise risk management processes of an
organization;
• Provide a means for an
organization to express the maturity of their cybersecurity risk management
practices;
• Include workforce considerations;
and
• Address the need for
organizations to manage the various types of dependencies, including those related
to providers, processes, and technologies.
Workforce
Considerations
The brief discussion of the workforce considerations
deserves special emphasis. This document makes it clear that the Cybersecurity
Framework will address to separate levels of training requirements. First there
will be the general awareness of cybersecurity requirements that all personnel
with access to the critical cyber-systems will have to undergo. Interestingly
the update makes it clear that the ‘all personnel’ should include “employees, partners,
and customers” that have system access.
The second level of training will have to focus on ‘cybersecurity
personnel’. The update notes that “the cybersecurity workforce must be trained
and must maintain the skills necessary to understand the operating environment,
the threats and vulnerabilities to that environment, and the practices
available to combat those threats and vulnerabilities” (pg 2). The development
of this type of training is one of the areas that NIST should stress in their
proposed Federally Funded Research and Development Center (FFRDC). At the
very least there is going to have to be some sort of federal support and
guidance in the development of this professional workforce training program.
NIST Still Looking
for Information
The update makes it clear that NIST is not done with the information
collection phase of its process development (and hopefully this indicates the
realization that such information collection efforts will have to continue to be
an integral part of the Framework). Specifically NIST is looking for additional
input in the following areas:
• The identification and availability
of foundational cybersecurity practices;
• The actionable expression and management
of privacy and civil liberties needs;
• The availability of
outcome-oriented metrics that leaders can use in evaluating the position and progress
of the organization’s cybersecurity status; and
• The mechanisms to enable critical
dependency analysis for supply chains based on mission/business function.
Moving Forward
The update reiterates the previous
report that NIST will have an outline of the draft of the preliminary (this
will certainly be a working document given all of those qualifiers)
Cybersecurity Framework available by the end of the month; which means this
coming week. All of this lead up to the 3rd
Cybersecurity Framework Workshop to be held in San Diego, CA on July 10th
and 12th.
NIST expects this Workshop to result in an initial draft of
the Framework to include “a corresponding list of standards, guidelines, and
practices that are currently being used by industry” (pg 2). We can only hope
that the Framework being developed includes a methodology for keeping that list
updated with revisions and new standards as the cybersecurity field continues
to grow and mature.
NIST recognizes that everyone with an interest in, or input
for, the development of the Cybersecurity Framework will not be able to attend
the Workshop in San Diego. They are encouraging folks who cannot attend to provide
their input via email (cyberframework@nist.gov).
Posts
No comments:
Post a Comment