This is part of an on-going look at the responses
to the National Institute of Standards and Technology (NIST) latest
request for information (RFI) on potential updates to the Cybersecurity
Framework (CSF). A reminder, the comment period will remain open until February
9th, 2016. The previous posts in this series include:
This week there were five new responses to the RFI. This is
the largest number of responses in a single week, but it is still a remarkably
small number of responses. This is even more concerning because the comment
period ends on Tuesday. This week’s responses came from:
Prevent Duplication
of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to
“prevent duplication of regulatory processes and prevent conflict with or
superseding of regulatory requirements, mandatory standards, and related
processes” as required by the Cybersecurity Enhancement Act of 2014?”
Only three of the responders addressed this question in
their response. One recommended that the CSF continue to be a voluntary program
until such time that there was an industry wide consensus that the Framework
should be adopted. Another commenter suggested that various cybersecurity
regulatory standards be included in the reference standards. The final
commenter on this questions suggested that a cross-functional group (including
representatives from industry and standards organizations) be formed to
establish a CSF change control process
Should CSF be
Updated?
NIST question 10 asks:
“Should the Framework be updated?”
The same three commenters also addressed this question. One
suggested that change for change sake should be carefully avoided. A second
recommended that the next update should address risk management decisions and
prioritization processes in more detail. The other responded that updates
should be responsive to industry feedback.
Private Sector
Involvement
NIST question 20 asks:
“What should be the private
sector’s involvement in the future governance of the Framework?”
Again comments on this question were only receive from the
same commenters that responded to questions 9 and 10. One expressed support for
continuing NIST control of the CSF process with advice from industry. Another
suggested that industry support should be specifically restricted to an advisory
role to avoid conflict of interests. The third commenter suggested that NIST
continue with using the RFI process and holding open public meetings and
workshops when updating the CSF.
Commentary
Only two of this week’s commenters used the NIST spreadsheet
for submitting comments. The third that responded to specific questions used a
standard WORD® format with responses specifically keyed to the RFI questions.
The remaining two commenters used the old-style letter format that pressed
their organizational agenda rather than specifically respond to the RFI
questions.
I suspect that that out-of-date response style means that
what may have been legitimate and perhaps useful concerns will likely be given
little consideration in moving the CSF update process forward. NIST has
established a history of moving forward quickly in response to RFIs and that
can only happen when specific responses are given to specific questions.
I really hope that there will be a much larger number of
responses received in this last week of the response process. If we continue
with the same level of response it is hard to imagine that NIST will be able to
continue forward with a rigorous update process for the CSF.
Posts
No comments:
Post a Comment