Back in August the National Institute for Standards and
Technology published
a request for information about organizational experience with the
Cybersecurity Framework (CSF) that was published last February. With five days
left in the comment period NOT ONE RESPONSE has been posted to the NIST web
site. I suppose that it could be that NIST is so overwhelmed with responses
that they just haven’t had a chance to get them up on their site, but I don’t
really expect that that is the case.
I suspect that while the information security press has had
qualified good things to say about the CSF that it is mainly a dead issue with
industry in general. We have seen no movement by the regulatory agencies that
might have been able to use the CSF as a tool to help gauge cybersecurity management
to publicize much less use this tool.
It is a shame. The folks at NIST, and many folks in the
private sector, spent a great deal of time and effort coming up with a
consensus document that is either so perfect that no one sees a need to improve
it, or is so lame that nobody thinks that it is fixable.
NOTE: Thanks to a TWEET by Aristotle Tzafalias I learned that NIST has said that they will only post the comments to their web site after the close of the comment period. Certainly an odd way of doing things, but within their prerogative. 10-16-14 04:20 CDT.
NOTE: Thanks to a TWEET by Aristotle Tzafalias I learned that NIST has said that they will only post the comments to their web site after the close of the comment period. Certainly an odd way of doing things, but within their prerogative. 10-16-14 04:20 CDT.
Posts
No comments:
Post a Comment