This is the second in a series of posts about public
comments submitted in response to the publication of the NIST Preliminary Cybersecurity
Framework (PCSF). The earlier post is listed below.
This last week there have been 10 new comments posted to the
NIST
PCSF Comment web site. Actually, they were all posted to the site on
November 25th, so it is very likely that additional comments have
been submitted since then. This brings the total to a very disappointing 16
comments so far.
The comments form a very interesting spread of viewpoints.
We have one comment from a hospital maintenance chief who wants to see
violations of the CSF to be prosecuted as criminal violations (very unlikely to
say the least). And we have a ‘good job’ comment from a college CISO. In
between the two we have a number of interesting suggestions, including:
• Adding
a sub-category requiring continuous monitoring of configuration baselines;
• Adding
a sub-category requiring mitigation of identified vulnerabilities in
security controls;
• Align
the language in the PCSF with that used in the National Preparedness Goal
(NPG) and System;
• Suggest
the use of outcome-focused performance goals;
• Incorporate
the use of data governance, risk management and compliance in the system
design phase;
• Consider
the use of compliance automation tools;
• Consider
the security implications of ‘data-in-use’;
• Redefine
‘Framework Profile’ as the desired outcomes and ‘Framework Core’ as a list of
key activities and re-order the two based upon those definitions;
• Include
a discussion of the effects of uncertainty and complexity on cybersecurity;
and
• Add
three steps to the ‘Getting Started’ discussion; 1) Determine scope of
critical infrastructure to protect, 2) Conduct self-assessment of current
cybersecurity status, 3) Ensure continuous improvement.
We are beginning to see more use of the NIST spreadsheet
format for the submission of comments, but it is hardly universal. Part of the
problem is that some suggestions for changes or improvements are not able to be
directly tied to a specific page or line in the PCSF.
Posts
No comments:
Post a Comment