This week the National Institute of Standards and Technology
updated their Cybersecurity Framework web site. Only two things of potential
new interest on the redesigned web site; new CSF ‘Online Learning’ and a brief
announcement about the date of the next CSF Workshop.
Framework Learning
The new Online Learning page
is going to be a disappointment to anyone that expects NIST to provide some new
high-tech learning environment. What NIST has provided is three new pages with
old-fashioned written discussions with minimal graphics addressing the
following topics:
• Components of the Framework;
• Uses and Benefits of the
Framework; and
• History and Creation of the Framework.
The information presented is useful and well written. It is
just odd to see this presentation format used to address such a modern issue.
Actually, I kind of liked it.
Framework Workshop
The new Latest
Update page announces that NIST intends to hold their next CSF workshop on
September 11th -13th, 2018 in the Washington, DC area. Further
information will be published in the coming weeks.
Commentary
Back in December NIST published
the latest draft version of CSF v1.1 for comments. The comment period closed on
January 18th. NIST has still not published the comments that it has
received. The Latest Update page still notes that: “All responses will be
published publicly in the coming weeks.”
NIST has chosen not to use the Federal eRulemaking Portal (www.Regulations.gov) to receive comments
for a variety of reasons. Most importantly, the justification is that the CSF
is not a regulatory regime, so that particular public comment process is not necessary.
In earlier iterations of the CSF process NIST published the
responses on the CSF web site as they came in. This allowed interested parties
to see what other interested individuals and organizations were saying and add
their two-cents worth as appropriate. It also allowed gadflies like myself to conduct
on-going analysis and comments (see here
for example) as the comments came in. Again, I would like to think that
commentators such as myself helped to publicize the CSF discussions and maybe
even inspire some additional comments being submitted that would not have
otherwise been made.
I am disappointed that NIST did not provide the cybersecurity
community to see these comments as they came in. It makes the revision process
look much more closed than were the earlier efforts. I am afraid that this type
of government activity that is being moved back behind closed doors by an Administration
that supposed to be ‘business friendly’. Failing to conduct public business in
the public eye is not now, nor never has been ‘business friendly’.
We need NIST to move the CSF modification process fully back
into the public spotlight.
Posts
No comments:
Post a Comment