This is the third in a series of posts about public comments
submitted in response to the publication of the NIST Preliminary
Cybersecurity Framework (PCSF). The earlier posts are listed below.
This last week there have been 21 new comments posted to the
NIST
PCSF Comment web site. The latest comments have done a much better job of
using the spread sheet format for comment submission that was requested by
NIST.
Interestingly there seems to be a somewhat organized effort
to support certain suggested changes with a number of commenters using
identical language supporting certain
changes. Where I have seen this I have annotated the description of the change
with the number of people that have made the suggestion (eg: ‘8x’).
Please note that my descriptions of the suggested changes
are very brief and really don’t fully explain the concepts involved. Please use
the provided links to see the details about the changes.
The current set of proposed changes include:
• Repeat
of (8x) add three steps to the ‘Getting Started’ discussion; 1) Determine
scope of critical infrastructure to protect, 2) Conduct self-assessment of
current cybersecurity status, 3) Ensure continuous improvement.
• Move
‘Tiers and Profiles’ to CSF 2.0 as it needs more explanation and
justification.
• Items
missing: data integrity, cryptography, and cloud services.
• Include
cross mapping (5x) of security standards; suggests using CSA CCM.
• Include
references to the Open Group Dependency Modeling (O-DM) standard, Open
Group Risk Analysis (O-RA) standard and Open Group Risk Taxonomy (O-RT)
standard.
• Address
CSF certification, incentives to adopt CSF and collaboration/information
sharing.
• Adopt
HITRUST CSF categories, authoritative sources, maturity model, controls and
control elements.
• Require
2-factor authentication for any external access to critical systems.
• Specify
that the scope address the delivery of ‘critical infrastructure services’.
• Expand
the use of framework profiles to use as a tool to convey CSF requirements
to supply chain partners.
• Suggests
that the CSF is not specific enough in its requirements, allowing too much leeway
in the implementation.
• Consider
(3x) using SANS Quick Wins approach for breach analysis.
• Expand
the definition of privacy data to be protected.
• Limit
the definition of privacy protections.
• Replace
implementation tiers with CERT Resiliency Management Model (CERT-RMM)
• Add
NIST NICE Cybersecurity Workforce Framework as a reference
• Revise
categories and sub-categories to make each distinct and sufficient to
describe a specific cybersecurity activity.
• Remove
the concept of Tiers and replace with a single description of the
characteristics of a robust cybersecurity program
The comment period closes next Friday. Given the way these
submissions are posted I expect that I will have two more posts about the
submitted comments.
Posts
No comments:
Post a Comment