This is part of an on-going look at the responses
to the National Institute of Standards and Technology (NIST) latest
request for information (RFI) on potential updates to the Cybersecurity
Framework (CSF). A reminder, the comment period was
extended until February 23rd, 2016. The previous posts in this
series include:
This week there were 47 new responses (almost as many as had
been posted in total by last week) to the RFI and all but one of them were
dated after February 9th, the original comment cut-off date and one
was dated after the new cut-off date. Obviously it was a smart move on the part
of NIST to extend the comment period. As I noted last week, I expect that there
will probably be one more of these posts to catch any additional late adds to
the response list.
The comments posted this week come from:
Prevent Duplication
of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to “prevent duplication of
regulatory processes and prevent conflict with or superseding of regulatory
requirements, mandatory standards, and related processes” as required by the
Cybersecurity Enhancement Act of 2014?”
One commenter suggested that federal regulators map their
cybersecurity regulations to the CSF as the CSF is mapped to various standards.
Another commenter suggested instead that NIST conduct such regulatory mapping.
Regulatory mapping was addressed by a number (6) of additional commenters.
One commenter noted that the effect of IoT on the CSF should
be looked at. Another commenter suggested that there should be more emphasis on
acquisition and supply chain issues.
One commenter suggested that regulators use CSF reporting as
their regulatory methodology.
Should CSF be
Updated?
NIST question 10 asks:
“Should the Framework be updated?”
A number of commenters (1) recommended that the CSF should
continue to be updated as existing standards are updated and new standards are
published.
One commenter noted that the CSF should be expanded to
include cyber threats, insider threats and physical threats. Another commenter
suggested that the CSF should involve more detail about technological concepts
that effect implementation. Yet another suggested that the CSF should include
more detail on creating a target profile. And another suggested more emphasis
on state-of-the-art risk management practices. And another requested that the
CSF be expanded to include product integrity and supply chain security. Another
commenter suggested that medical device and industrial control systems need
coverage in the CSF. Big-data and cloud privacy issues were suggested by
another commenter as areas that need to be addressed.
One commenter suggested that CSF stability should be a
primary concern. Another commented that reducing the frequency of updates would
be helpful.
Private Sector
Involvement
NIST question 20 asks:
“What should be the private sector’s involvement in the
future governance of the Framework?”
A number of commenters (7) noted that the private sector
should continue to provide input on CSF improvements. One commenter
specifically recommended continued use of RFI’s and regional workshops.
One commenter argued that the users of the framework should
provide the governance. Another commenter suggested that the private sector
should provide feed-back on implementation issues.
One commenter suggested that NIST should hold semi-annual
workshops to address potential changes to the CSF.
Commentary
A total of 100 responses have been posted to the NIST site
as of today. Fewer than half of the commenters used the either the spread-sheet
format requested by NIST or keyed their responses to specific questions posed
in the RFI. I really wish that the commenters that did not have the common decency
to take the effort to consider how NIST was hoping to use their responses would
sit down and read the 100 responses submitted to date and try to make sense of
the data presented.
I am sure that a great deal of effort went into developing
these 10 and 20 page responses that went into great detail about how the
organization was diligently working on cybersecurity. Unfortunately, those
comments were better suited to a press release than being helpful to NIST in
charting the future of the CSF.
Over the last two weekends I have spent four hours reviewing
responses to look for and analyze information on just three of the twenty
questions. And I did not even attempt to read the responses that were not prominently
keyed to the specific questions I was looking at. NIST on the other hand is
going to have to peruse each of the missives to try to extract the requested
information. I do not envy the NIST reviewers who will be required to review
each and every submission, no matter how verbose and self-advertising.
It was interesting that out of 47 submissions posted this
week, only one mentioned the fact that the CSF needs to be periodically updated
to reflect revisions to the various standards referenced in the document. In
the long run, I think that it was probably more important that a number of
commenters noted that there should be a mapping of CSF and cybersecurity
regulations. Comments went both ways; suggesting that regulations reference CSF
and vice versa.
Nobody has suggested that new cybersecurity regulations have
to be applied; instead they are recommending that regulated industries that are
already facing security regulations have the cybersecurity provisions tied into
the CSF. That way, commenters suggest, there would not be competing
requirements, especially for those organizations facing multiple regulatory
schemes.
I was happy to see a number of cybersecurity research
organizations included in the responders this week. They had some different
insights from those provided by industry organizations.
Posts
No comments:
Post a Comment