Sunday, October 5, 2014

No Responses to NIST RFI

Back in August the National Institute for Standards and Technology published a request for information about organizational experience with the Cybersecurity Framework (CSF) that was published last February. With five days left in the comment period NOT ONE RESPONSE has been posted to the NIST web site. I suppose that it could be that NIST is so overwhelmed with responses that they just haven’t had a chance to get them up on their site, but I don’t really expect that that is the case.

I suspect that while the information security press has had qualified good things to say about the CSF that it is mainly a dead issue with industry in general. We have seen no movement by the regulatory agencies that might have been able to use the CSF as a tool to help gauge cybersecurity management to publicize much less use this tool.

It is a shame. The folks at NIST, and many folks in the private sector, spent a great deal of time and effort coming up with a consensus document that is either so perfect that no one sees a need to improve it, or is so lame that nobody thinks that it is fixable. 

NOTE: Thanks to a TWEET by Aristotle Tzafalias I learned that NIST has said that they will only post the comments to their web site after the close of the comment period. Certainly an odd way of doing things, but within their prerogative. 10-16-14 04:20 CDT.

No comments:

/* Use this with templates/template-twocol.html */