Saturday, June 29, 2013

NIST Updates Progress on Framework

Yesterday the National Institute of Standards and Technology updated their Cybersecurity Framework web site to provide links to three new documents related to the President’s cybersecurity executive order (EO 13636). They just made their self-imposed deadline for getting the information out, but there should be adequate time for participants at the next Framework Workshop (to be held in San Diego) to review the documents and determine what specific changes they would like to see before the July 10th meeting.

The three documents are:

The Draft Framework

Actually this would be more accurately called a format for the Framework. There is some possible language in the document that might find its way into the Draft that will be submitted to the President this fall, but it is boilerplate language. Much of that language is a rehash of the President’s requirements for the Framework taken from the EO.

The parts of this document that will likely survive intact (in format anyway) to appear in the Draft Framework are found in links included in the document. Many of these are spread sheets and .PDF documents to be used by organizations implementing the Framework and will act as an implementation record for those organizations. The linked documents include:

Function Matrix Shell (spreadsheet explanation);
• Draft Framework Compendium (embedded spreadsheet: Standards and information sources for cybersecurity);
Framework Implementation Levels (Example for Framework data recording);
Draft Illustrative Framework (embedded spreadsheet: Example of linking standards and information sources to implementation tasks); and

There is a long way to go to get from this document to a Draft Cybersecurity Framework this fall. I suspect that there will be significant changes to the documents format and a great deal of fleshing out of the details. I wish them the best of luck at the upcoming Cybersecurity Framework Workshops.

ICS Coverage

Having perused this document and various embedded and linked publications I feel a lot better about industrial control systems being included in the Framework coverage. There are numerous references to NERC CIP documents in the Compendium (I know; CIP is not strictly speaking a control system program, but it does include significant control systems mandates. And the Glossary definition of ‘Cyber Environment’ specifically includes a mention of ‘control systems’.

Having said that, this document  demonstrates that the focus (but not the exclusive focus) of the Framework will be targeted on information security. I am afraid that the amount of attention that will be addressed at control system security issues will minimal and ineffectual at best.

No comments:

/* Use this with templates/template-twocol.html */