Yesterday the National Institute of Standards and Technology
updated their Cybersecurity
Framework web site to provide links to three new documents related to the
President’s cybersecurity executive order (EO 13636).
They just made their self-imposed deadline for getting the information out, but
there should be adequate time for participants at the next Framework Workshop
(to be held in San Diego) to review the documents and determine what specific
changes they would like to see before the July 10th meeting.
The three documents are:
• Draft Framework Core;
and
The Draft Framework
Actually this would be more accurately called a format for
the Framework. There is some possible language in the document that might find
its way into the Draft that will be submitted to the President this fall, but
it is boilerplate language. Much of that language is a rehash of the President’s
requirements for the Framework taken from the EO.
The parts of this document that will likely survive intact
(in format anyway) to appear in the Draft Framework are found in links included
in the document. Many of these are spread sheets and .PDF documents to be used
by organizations implementing the Framework and will act as an implementation
record for those organizations. The linked documents include:
• What
Every CEO Should Know About IT Security (an eBook);
• DHS
Cybersecurity Questions for CEOs (flyer);
• More
Intelligent, More Effective Cybersecurity Protection (Business Roundtable
Report);
• Function Matrix
Shell (spreadsheet explanation);
• Draft Framework Compendium (embedded
spreadsheet: Standards and information sources for cybersecurity);
• Framework
Implementation Levels (Example for Framework data recording);
Draft Illustrative Framework (embedded
spreadsheet: Example of linking standards and information sources to
implementation tasks); and
There is a long way to go to get from this document to a
Draft Cybersecurity Framework this fall. I suspect that there will be
significant changes to the documents format and a great deal of fleshing out of
the details. I wish them the best of luck at the upcoming Cybersecurity
Framework Workshops.
ICS Coverage
Having perused this document and various embedded and linked
publications I feel a lot better about industrial control systems being
included in the Framework coverage. There are numerous references to NERC CIP
documents in the Compendium (I know; CIP is not strictly speaking a control
system program, but it does include significant control systems mandates. And
the Glossary definition of ‘Cyber Environment’ specifically includes a mention
of ‘control systems’.
Having said that, this document demonstrates that the focus (but not the
exclusive focus) of the Framework will be targeted on information security. I
am afraid that the amount of attention that will be addressed at control system
security issues will minimal and ineffectual at best.
Posts
No comments:
Post a Comment