NIST Increases CSF Usability

This week the National Institute of Standards and Technology (NIST) expanded (somewhat) the usability of the Cybersecurity Framework (CSF) as a management tool. They published the CSF Reference Tool [Zip file containing a Windows® .EXE file; there is an alternative OS® application version]; “a FileMaker runtime database solution”.

According to the NSF web site:

“The CSF Reference Tool allows the user to browse the Framework Core by functions, categories, subcategories, informative references, search for specific words, and export the current viewed data to various file types, e.g., tab-separated text file, comma-separated text file, XML, etc.”

The tool is designed to make it easier for corporate management to use the CSF as a management tool for the implementation (and tracking the implementation) of the CSF. It makes it easier for the user to search for and extract information from the CSF Core [Excel® download] and to export that data into forms and formats that can be used for various management functions.

My biggest complaint about the CSF Core applies to this tool as well. The references data should include links to the specific areas of the applicable documents or at least to the documents themselves. I understand that there are copyright issues and many of the document owners require users to buy the documents. That and many of the documents are not formatted to be linkable down to the section level.

If NIST had been given a budget for the CSF (which would have meant that Congress get involved instead of it just being based upon an Executive Order) they might have been able to negotiate link access rights from this tool to the various standards involved. Without that capability, the utility of this tool will be limited for most organizations.

OOPS – I just found some other headaches; this file is set up to run from the NIST-CSF.exe from the extracted zip file each time it is opened. It does not automatically set up an icon or even a link on the START page. Even if you pin it to your task bar, you get ‘Run’ dialog box opening up on your screen before you get to the program. When you exit the program you get another dialog box that shows up informing you that the base program, FileMaker Pro®, ‘has stopped working’. These are software issues that ruin the run ability of the program. It is really sad that the programming skills and QA skills are so low at NIST that these types of errors remain in their distributed programs. We were not allowed to have errors like this remain in our college projects twenty years ago.