This is part of an on-going look at the responses
to the National Institute of Standards and Technology (NIST) latest
request for information (RFI) on potential updates to the Cybersecurity
Framework (CSF). A reminder, the comment period will remain open until February
9th, 2016. The previous posts in this series include:
This week there were ten new responses to the RFI. This is almost
the same as the total number that had been submitted by last Saturday, and they
all came before the original deadline. This week’s responses came from:
Prevent Duplication
of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to “prevent duplication of
regulatory processes and prevent conflict with or superseding of regulatory
requirements, mandatory standards, and related processes” as required by the
Cybersecurity Enhancement Act of 2014?”
One commenter recommended that the Federal government should
consolidate the Federal cybersecurity effort to avoid having multiple
requirements from separate agencies. Similarly, another commenter suggested
that if the CSF were to become the regulatory standard, that all agency
regulations should be based upon that standard. On the other hand, a separate
commenter noted that regulatory requirements should be included in the CSF. Alternatively,
another commenter suggested that NIST should have greater outreach to Federal,
State and local regulators to aid them in developing consistent regulatory
schemes.
One commenter noted that as new industry and international
standards are developed they should be incorporated in the CSF. Another
commenter suggested that the relationship between the CSF and the NIST Risk
Management Framework should be clarified.
Should CSF be
Updated?
NIST question 10 asks:
“Should the Framework be updated?”
One commenter noted that the CSF should be cautiously
updated to reflect changes in evolving cyber technology and the risk landscape.
Another commenter suggested that the CSF needs an implementation plan and an
assessment tool like DHS’ Cyber
Resilience Review tool. Yet another commenter recommended that newer
versions of the CSF should focus on critical areas and key mitigation plans
like perimeter defense strategies.
Private Sector
Involvement
NIST question 20 asks:
“What should be the private sector’s involvement in the
future governance of the Framework?”
One commenter suggested that while NIST should maintain
responsibility for CSF governance, ISACS should become directly involved in CSF
changes. Another noted that industry Organizations like CHIME
should become involved in the CSF process. One commenter suggested that the
NERC CIP process has shown that a period of stability is needed between
revisions of the CSF, so that lessons learned can be properly identified and
incorporated.
Commentary
While the number of commenters that have provided input
during the initial 60-day comment period is staggeringly inadequate, the latest
batch has a number of interesting and provocative ideas for NIST to consider.
I would like to point out that the majority of the comments
received this week were in the CSF comment submission format. This makes the
review of the comments much easier. Commenters need to realize that if their
intent is to actually influence the CSF improvement process, then making it
easier for the reviewers to understand and collate the responses increases the
efficiency of the influence.
There were a couple of commenters that seemed to have
confused the management tool that is the Cybersecurity Framework and
cybersecurity regulations. The CSF is a tool that can be used to analyze the
current state of an organizations cybersecurity practices and to figure out
what the organizational goals in the field should be and how to achieve them.
Regulatory schemes are designed to set minimum standards, establish compliance
measures for those standards and ensure that those compliance standards are
met. One would like to think that an organization, while having to meet
regulatory requirements, would aspire to a higher standard performance. The CSF
provides a tool to establish that higher performance level and outline a means
to achieve that goal.
Regulatory agencies could certainly use the CSF as a tool
for ensuring that their minimum standards reflect industry standards and
capabilities. It also provides the necessary references for finding appropriate
measurement tools to gauge the effectiveness of responses to regulatory
requirements.
But, the CSF is not a regulatory framework. It was never intended
to be such and would lose much of its effectiveness if it became one. Probably
the greatest advantage of the CSF verses cybersecurity regulations is that it
should be easier to update the Framework to reflect changes in the cybersecurity
landscape than it would ever be to update regulations. In large part this is
because it’s voluntary nature makes organizations much less resistant to
changes in the Framework.
Posts
No comments:
Post a Comment