This is part of an on-going look at the responses
to the National Institute of Standards and Technology (NIST) latest
request for information (RFI) on potential updates to the Cybersecurity
Framework (CSF). A reminder, the comment period was
extended and will remain open until February 23rd, 2016. The
previous posts in this series include:
This week there were 37 new responses to the RFI and most of
them were dated on or before February 9th, the original comment
cut-off date. This lag has been fairly normal for the NIST RFI’s and is
certainly due to the fact that they have to hand process these comments from
emails. If NIST stays in the comment reception process they really need to come
up with an automated system for receiving/posting the comments.
Since the new comment deadline is this week I expect that I
will be doing these posts for at least two more weekends.
The comments posted this week come from:
Prevent Duplication
of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to “prevent duplication of
regulatory processes and prevent conflict with or superseding of regulatory
requirements, mandatory standards, and related processes” as required by the
Cybersecurity Enhancement Act of 2014?”
A couple of commenters recommended that the CSF continue to
be voluntary in response to this question.
One commenter noted that DOD, DHS and NSA are developing separate
voluntary and mandatory guidelines and approaches which makes compliance more
difficult. Another commenter suggested that the CSF be used to harmonize
cybersecurity regulatory development. It was suggested by yet another commenter
that policy makers should collaborate with federal agencies and the private
sector to prevent duplication of regulatory processes and prevent conflict with
superseding of regulatory requirements. One health care commenter called for
more alignment within the federal government in applying risk management principles.
Another commenter suggested that regulators use CSF reporting frameworks as
part of their regulatory scheme.
Continued cooperation between standards setting
organizations was also suggested. One commenter suggested that a public/private
sector guidance body be established.
One commenter noted that the voluntary nature of the CSF
implementation was beneficial because it allowed an organization to ignore, add
or eliminate processes so that the CSF would be more applicable to the
organization.
Another commenter noted that NIST should expand its
development of CSF profiles for different regulatory regimes or that regulators
could reference the CSF in their rules. One commenter noted that Sector
Specific Agencies be required to develop CSF implementation guidelines. Another
commenter suggested that the CSF be expanded to an international scope. Another
commenter suggested that the CSF should be expanded to include more specific
measurable/observable criteria to better support regulatory reporting.
One commenter suggested that continued private sector
involvement in CSF updates would ensure that the CSF does not conflict with
regulatory requirements.
Should CSF be
Updated?
NIST question 10 asks:
“Should the Framework be updated?”
A number of commenters (8) recommended that the CSF should
continue to be updated as existing standards are updated and new standards are
published. One commenter noted, however, that updates should be limited to
allow for adequate implementation experience to guide future updates; this was
reinforced by other commenters.
One commenter specifically recommended that health care
organizations take an active role in the update process. Another commenter
suggested that outdated measures should be removed. A suggestion was made that
NIST and industry should work together to develop industry specific
implementation guidelines. Yet another commenter suggested that there should be
more public safety input into the CSF development process. It was suggested
that the CSF remain technology neutral.
An equipment vendor noted that supply chain security issues
need to be addressed in the CSF. Another commenter suggested that the internet
of things and bring your own device problems should be addressed in the CSF.
Yet another commenter suggested that high level control areas for PKI security
be included. A government agency suggested that future updates should reflect
all stakeholder needs.
One commenter opposed regular updates to the CSF, noting
that continuity was more important in the changing field of cybersecurity.
Private Sector
Involvement
NIST question 20 asks:
“What should be the private sector’s involvement in the
future governance of the Framework?”
A number of commenters (10) noted that the private sector
should continue to provide input on CSF improvements.
One commenter noted that the private sector should be
providing input to both NIST and standards setting organizations. Another
commenter noted that multiple inter-sector dependencies need to be identified.
One commenter maintained that private sector involvement leads to a sustainable
program. Yet another suggested that the private sector should play a critical
role in the CSF governance with another suggesting that the private sector
should own the CSF and its governance.
One commenter suggested that private sector input be limited
to anonymized input on implementation issues.
Commentary
A total of 53 responses were ultimately received by the end
of the original comment period from a broad cross section of responders. This
actually ended up being a pretty decent number of responses for this type of
non-regulatory request for comments. I was disappointed in the relative lack of
responses from security researchers as I know that a number were involved in
the original process that led to the publication of the CSF; I expect, however,
that they would again get involved in any change process.
Having said that, it should be noted that I did not submit
any comments to this RFI. Since the questions were mainly targeted at
organizations that had either used the CSF or specifically decided not to use
the Framework, I didn’t think that my more philosophical comments would really
be appropriate. And that may have been why we saw so few comments from
individuals in response to the RFI.
I want to remind folks that the continuing analysis of the
responses to the RFI that I have been doing has been limited to those responses
that specifically (and clearly) addressed specific questions in the RFI. For
the most part I ignored (and suspect that NIST will largely ignore) the more
verbose and erudite commentaries on the CSF that were submitted by a large
number of the commenters. NIST was looking for specific information and those
commenters were not helpful in that regards.
A number of those non-responsive responses were more
targeted at the next version of the CSF and may have been more appropriately
saved for that process. There was at least one exception to this; the comments
submitted by HITRUST
both addressed the NIST RFI questions and provided some in depth suggestions
for how the next version of the CSF should look. If you are really interested
in the future of the CSF I suggest that you take a look at their lengthy
commentary; I expect (and hope) that they will be actively involved in the CSF
revision process.
Readers of this series of posts will realize that I am a big
fan of the NIST attempts to get commenters to use the spread sheet format for
submitting responses to the questions that they asked. This makes the
compilation and analysis of those comments so much easier. I would like to
suggest that NIST continue to work at the development of this process and
include the development of a methodology of automating the reception of those
spread sheets.
OMB should be actively working with NIST on developing this
process of automating the collection and analysis of public comments. This
would go a long way to making the regulatory process more effective and reduce
the time necessary to complete the regulatory process.
Posts
No comments:
Post a Comment