This is the fourth in a series of posts about public comments
submitted in response to the publication of the NIST Preliminary
Cybersecurity Framework (PCSF). The earlier posts are listed below.
There were 51 new comments posted to the PCSF
comment web site this week, more than double the number from the week
before. This is still a relatively poor showing for a program that will have as
wide spread an impact on such a wide range of industries. Since we haven’t yet
seen comments posted from the major industrial organizations (American
Chemistry Council for instance) that always comment I suspect that the last
minute comments have yet to be posted to the site.
Again, please note that the summaries posted below are very
broad summaries and the actual comments will provide much more detail.
The most recent set of proposed changes includes:
• Repeat
of (8x) add three steps to the ‘Getting Started’ discussion; 1) Determine
scope of critical infrastructure to protect, 2) Conduct self-assessment of
current cybersecurity status, 3) Ensure continuous improvement.
• Expand
concepts to include operational measures that have impacts on security.
• Expand
citations of ISA 99.02.01 to include a parenthetical citation to the
corresponding section or sections of IEC 62443 Part 2-1.
• Adopt
current security planning terminology of “Identify Assets, Identify Risks,
Create Policies, Implement, Monitor, Recover from an incident”.
• Differentiate
between security standards for legacy devices and new installations.
• Include
more requirements for the use of encryption for communications and data
protection.
• Include
discussion of security engineering.
• Comment
that the lack of specific guidelines may make it difficult for small
organizations to implement.
• Include
‘External Participation’ category to identify outreach efforts to be used by
small organizations to aid in implementation of Framework.
• Address
cost-benefit analysis as part of the risk assessment process.
• Identify
how threat information will be shared.
• Include
SC-44 (from App F, NIST Special Publication 800.53) as an informative
reference.
• Add
additional references including: ITU-T X.1528 - Common Platform Enumeration;
ITU-T X.1520 - Common Vulnerabilities and Exposures; ITU-T X.1544 - Common
Attack Pattern Enumeration and Classification; ITU-T X.1521 - Common
Vulnerability Scoring System; and ITU-T X.1526 - Open Vulnerability and Assessment
Language.
• Change
references to Tier 1 to an unacceptable current state that needs to be
improved upon, not an acceptable state.
• Add
additional references including: Open Systems Interconnection (OSI) model;
and ISO/IEC 7498-1.
• Include
references to existing training certification programs.
• Include
a voluntary self-assessment tool for determining current Tier status.
• Include
discussion of the impact of HIPAA and HITECH regulations will impact
Framework adoption in healthcare industry.
• Add
additional references including: ANSI X9.8, X9.112 (D), X9.122 (D), X9.119,
X9.117, X9.73, X9.31, and X9.62; and ISO 9564 and 16609.
• Include
discussion of security layers.
• Add
‘Cyber Intelligence’ as a new category under Identify.
• Add
an appendix that provides guidance on Framework implementation.
• Remove
privacy appendix from current Framework.
• Include
definition of ‘Framework Adoption’.
• Comment
that too many of the categories are so expansive in their scope as to be
unattainable.
• Limit
privacy protection requirements to information assurance activities.
• More
completely address privacy protection training requirements.
• Include
closer ties between framework and the National Initiative for Cybersecurity
Education (NICE).
• Detailed
discussion of control system issues.
• Does
not include a discussion of the role of insurance is risk assessment.
• Needs
to address cybersecurity workforce issues including training and
certification.
• Expand
characterizations of potential losses in an ICS environment.
• Update
references to ISA-62443-2-1.
• Should
include stronger reference to use of Framework by regulatory agencies.
• Address
more of the HISP Top 20 Mitigating Controls.
• Increased
need for information sharing.
• Needs
more emphasis on ‘security by design’ and ‘privacy by design’.
• Needs
more emphasis on cryptography and digital certificates.
• Add
subcategories for: "Policies to secure and protect cryptographic keys and
digital certificates are established and enforced"; "Cryptographic
keys and digital certificates are monitored to detect vulnerabilities and
exploits"; and "Trust compromise response plan is established and
implemented".
• Needs
more emphasis on information sharing and taxonomy.
• Update
Tier model and methodology.
• Add
discussion of insider threat prevention and response.
• Detailed
discussion of operational aspects of cyber intelligence.
• Detailed
discussion of insider threat programs.
There are obviously other submissions that have been made
that are not currently posted to the NISC comment site. That means that there
will be at least one more of these blog posts in this series.
Posts
No comments:
Post a Comment