Saturday, February 17, 2018

NIST Framework Update – 02-17-18

This week the National Institute of Standards and Technology updated their Cybersecurity Framework web site. Only two things of potential new interest on the redesigned web site; new CSF ‘Online Learning’ and a brief announcement about the date of the next CSF Workshop.

Framework Learning

The new Online Learning page is going to be a disappointment to anyone that expects NIST to provide some new high-tech learning environment. What NIST has provided is three new pages with old-fashioned written discussions with minimal graphics addressing the following topics:

• Components of the Framework;
• Uses and Benefits of the Framework; and
History and Creation of the Framework.

The information presented is useful and well written. It is just odd to see this presentation format used to address such a modern issue. Actually, I kind of liked it.

Framework Workshop

The new Latest Update page announces that NIST intends to hold their next CSF workshop on September 11th -13th, 2018 in the Washington, DC area. Further information will be published in the coming weeks.


Back in December NIST published the latest draft version of CSF v1.1 for comments. The comment period closed on January 18th. NIST has still not published the comments that it has received. The Latest Update page still notes that: “All responses will be published publicly in the coming weeks.”

NIST has chosen not to use the Federal eRulemaking Portal ( to receive comments for a variety of reasons. Most importantly, the justification is that the CSF is not a regulatory regime, so that particular public comment process is not necessary.

In earlier iterations of the CSF process NIST published the responses on the CSF web site as they came in. This allowed interested parties to see what other interested individuals and organizations were saying and add their two-cents worth as appropriate. It also allowed gadflies like myself to conduct on-going analysis and comments (see here for example) as the comments came in. Again, I would like to think that commentators such as myself helped to publicize the CSF discussions and maybe even inspire some additional comments being submitted that would not have otherwise been made.

I am disappointed that NIST did not provide the cybersecurity community to see these comments as they came in. It makes the revision process look much more closed than were the earlier efforts. I am afraid that this type of government activity that is being moved back behind closed doors by an Administration that supposed to be ‘business friendly’. Failing to conduct public business in the public eye is not now, nor never has been ‘business friendly’.

We need NIST to move the CSF modification process fully back into the public spotlight.

No comments:

/* Use this with templates/template-twocol.html */