Almost a month has gone by and we are just now seeing the
National Institute of Standards and Technology (NIST) posting
comments to their latest
request for information (RFI) on potential updates to the Cybersecurity
Framework (CSF). A reminder, the comment period will remain open until February
9th, 2016.
As of this morning there are only three responses posted to
the RFI Response site. They come from:
Comment Format
Before looking at the actual responses, I would first like
to take a look at the reason that NIST has suggested that the comments to the
RFI should be submitted using the provided spread sheet submission
form on the RFI web site. This is a technique that NIST established in
their earlier RFI submissions.
If you look at the three submissions available today, only
one of them uses the spread sheet. In the first submission it is very hard to
actually find the comments from Mr. Marks as he has appended them directly to
the questions with no visual separation. The submission from Cybernance uses a
similar format, but provides visual separation which makes the responses easy
to identify and read. Finally, the Esterline submission uses the NIST spread
sheet which not only makes it easy to identify and read the response, but it
makes it easier for NIST to abstract the comments to a review/response
database.
The whole point of responding to a request for information
like this is to have one’s voice heard in the most effective manner possible.
NIST has come up with a technique that makes this easier for them to evaluate
the responses, and at the same time is relatively easy for the responding
community to use. Not only do I think that the public should use this
particular response form for replies to this RFI, but other agencies should
consider employing the same technique when soliciting public comments on RFI’s
and rulemakings.
Prevent Duplication
of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to
“prevent duplication of regulatory processes and prevent conflict with or
superseding of regulatory requirements, mandatory standards, and related
processes” as required by the Cybersecurity Enhancement Act of 2014?”
Only one commenter addressed this question with a fairly succinct:
“Form a single body for the US gov't that has a singular standard system.”
Should CSF be
Updated?
NIST question 10 asks:
“Should the Framework be updated?”
All three commenters generally agreed that the CSF should be
updated regularly. One commenter suggested improving ability to access the
referenced controls. Another suggested upgrading the ‘Profile’ section to aid
charting a path forward to improving cybersecurity. The third suggested that
the CSF should better reflect differences in response based upon organization
size.
Private Sector
Involvement
NIST question 20 asks:
“What should be the private
sector’s involvement in the future governance of the Framework?”
All three commenters strongly supported continued
involvement of the private sector. One noted that in particular organizations
like the FS-ISAC (presumably including all information sharing and analysis
centers) should be involved.
Posts
No comments:
Post a Comment