NIST Publishes Notice for Preliminary Cybersecurity Framework

Today the National Institute of Standards and Technology (NIST) published a request for comments notice in the Federal Register (78 FR 64478-64480) for the Preliminary Cybersecurity Framework that was published on the NIST web site last week. Alert readers will note that this is a completely different process than that is followed in publication of a new rule or regulation.

The Notice

Today’s notice points back to the NIST Framework web site for both a copy of the Framework to be reviewed and commented upon, as well as a copy of the form that NIST wants people to use to file their comments. Comments are to be submitted directly to NIST via snail mail or email (csfcomments@nist.gov) and must be received by 5:00 pm EST on December 13^th, 2013. NIST is not using the Federal eRulemaking Portal for these comments. Comments will be posted in their entirety at http://csrc.nist.gov/cyberframework/preliminary_framework_comments.html.

The notice published today does not mention the alternative format for the listing of “informative references (standards, guidelines and best practices)” provided in the Framework. Apparently there has been some concern expressed about the ease of understanding the table provided in the Framework (pages 13-26). An alternative version is also available on the NIST web site. NIST would like comments on the two versions to be included in any submission of comments.

The Comment Format

NIST has specifically requested that all comment submissions use the form provided on (downloaded from) their web site. Many commenter will find it difficult to adapt their typical verbose expository commenting style to the spread-sheet format provided. I suspect that NIST is expecting a very large number of detailed comments and this format will make it much easier to collect, collate, and analyze a large number of comments.

Given that the President has provided a February deadline for publishing the final version of the Cybersecurity Framework, I think that NIST has made a very astute choice in the way they wish to receive their comments. I also suspect that this request will be widely ignored by many of the organizations that typically comment on federal rules and regulations.

The even larger number of comments from industry (at the operational level) and academia will be submitted by people who are very familiar with the spread sheet format. These commenters will have no problem submitting their comments in the manner suggested/requested by NIST.

The Choice

NIST has made a very interesting choice in the way they have published both the Framework and this request for comments. This request for comments will catch the attention of the people who normally comment of federal rules and regulations and their comments will be very important. The use of the NIST web site as the location for the publication of the rule and comments will attract a completely different set of responses; responses from people at the operational level who deal with cybersecurity issues on a daily basis. It will be interesting to see how effective NIST is in attracting comments from this group of people.

An interesting sidelight to the choice has to deal with the non-regulatory nature of the Framework. One of the reasons that NIST was selected to lead this effort was that they are not a regulatory agency and the Administration has been very careful to publicly reiterate that this is a completely voluntary program. On the other hand, many commentators, me included, have mentioned how easy it might be for regulatory agencies to incorporate this program into their current regulatory regime.

In publishing the Framework document outside of the Federal Register and taking the comment process out of the Federal eRulemaking Portal, NIST has made that inclusion just a little more difficult. Any agency attempting to directly co-opt the Framework will have to first put it through the regulatory wringer of publishing and comment process.