NIST Framework Update – 06-09-16

This week the National Institute of Standards and Technology (NIST) published a document summarizing the results of the workshop that they held in April on the future of the Cybersecurity Framework (CSF). The document summarizes the views expressed by workshop participants and outlines the continuing steps that NIST intends to undertake in support of the CSF.

There were seven major topic areas covered in the document with two receiving detailed discussion. The seven topics were:

• Background;

• Cybersecurity Framework Use;

• Evolution and Maintenance;

• “Best Practice” Sharing;

• Roadmap for Improving Cybersecurity;

• Update; and

• Next Steps

The first area that included a more detailed discussion was the Roadmap. Topics discussed included:

• Authentication;

• Automated Indicator Sharing;

• Assessment and Confidence Mechanisms;

• Cybersecurity Workforce;

• Federal Alignment;

• International Aspects, Impacts, and Alignment;

• Supply Chain Risk Management; and

• Technical Privacy Standards

As expected the final area to receive detailed attention was the ‘Next Steps’ portion of the document. This was divided into two sections; NIST Actions and Recommended Stakeholder Actions. The later included discussions on:

• Customizing the Framework for your sector or community;

• Publishing a sector or community Profile or relevant “crosswalk.”;

• Advocating for the Framework throughout your sector or community, with related sectors and communities;

• Publishing “summaries of use” or case studies of your Framework implementation; and

• Sharing your Framework resources with NIST.

There is no time table mentioned in the document for updating the CSF, but it is being reported (here and here) that NIST is expecting to publish an update next year. If past history is any guidance, I would expect NIST to hold a series of future workshops during the development process.

NIST Updates Workshop Agenda

This week the National Institute of Standards and Technology (NIST) published an updated version of the draft agenda for next week’s NIST Cybersecurity Framework (CSF) Workshop. The new version provides more details about the breakout sessions where most of the work will be accomplished. It also includes more information on some of the panel discussions.

Panel Discussions

There are two of the panel discussions that may be of specific interest to readers of this blog; one on Coast Guard use of the CSF and the other on insurance and the CSF. Here is how the agenda describes these two panels:

US Coast Guard Maritime Profile Strategy – This panel will focus on the work done by the US Coast Guard and partner organizations on building security profiles, based on the Framework, to secure the bulk liquid transport sector.

Insurance – This panel will discuss the benefits to an evolving and growing insurance market of a widely used and consistent approach to understanding and   communicating cyber risks. Panelists will provide their experience with using the Cybersecurity Framework for developing and analyzing data and using the data for underwriting cyber risks.

Other News

The Workshop web page also announced this week that registration has closed for attending the Workshop in person. People that did not complete the registration process will not be allowed on the NIST campus during the workshop. NIST also announced that they would be web casting at least portions of the Workshop on the Workshop homepage starting at 08:30 EDT on April 6^th.

NIST also published the ‘official’ TWITTER® hashtag for the Workshop; #NISTCSF. Those of you who already follow NIST on TWITTER (@USNISTGOV) will already have seen that hashtag in their announcements about the Workshop. It is nice to see a government agency taking a proactive use of social media and not just flooding media with meaningless sound bites

NIST Announces New CSF Workshop

Earlier this week the National Institute of Standards and Technology (NIST) announced that they would be holding a 2-day Cybersecurity Framework (CSF) workshop starting on April 6^th, 2016 at their facility in Gaithersburg, Maryland. This will be a public workshop and advanced registration is required.

While a draft agenda is available (.docx download) it is currently only vaguely general in nature. The CSF web site provides a little more detail on what the workshop will cover:

• Ways in which the Framework is being used to improve cybersecurity risk management;

• How best practices for using the Framework are being shared;

• The relative value of different parts of the Framework;

• The possible need for an update of the Framework; and

• Options for long-term governance of the Framework.

In short, it looks like the workshop will address many of the same issues that have been addressed in the latest request for information, but that should not be unexpected to anyone who followed the CSF development process. I expect that more information will be made available in the coming weeks.

FDA Announces Cybersecurity Workshop

Today the Food and Drug Administration (FDA) published a meeting notice in the Federal Register (80 FR 76022-76025) for a public workshop entitled “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity”. The two-day workshop will be held in Silver Springs, MD on January 20-21^st, 2016. The workshop will be webcast.

Agenda

According to the meeting notice the FDA, in conjunction with the National Health Information Sharing Analysis Center (NH-ISAC), the Department of Health and Human Services, and the Department of Homeland Security, wishes to address the following questions related to coordinated disclosure:

• How might the stakeholder community create incentives to encourage stakeholder participation?

• What do individual stakeholders need to understand and be aware of regarding coordinated disclosure?

• What current tools and models presently exist that may aid stakeholders in implementing disclosure and vulnerability management?

• How can the security researcher community work in collaboration with HPH stakeholders to identify, assess, and mitigate vulnerabilities?

Additional topics of interest include:

• Sharing FDA's current thinking on the implementation of the Framework in the medical device total product lifecycle.

• Adapting cybersecurity and/or risk assessment tools such as CVSS for the medical device operational environment.

• Adapting and/or implementing existing cybersecurity standards for medical devices.

• Understanding the challenges that manufacturers face as they increase collaboration with external third parties (cybersecurity researchers, ISAOs, and end users), to resolve cybersecurity vulnerabilities that impact their devices.

• Gaining situational awareness of the current activities in the HPH sector to enhance medical device cybersecurity.

• Identifying cybersecurity gaps and challenges that persist in the medical device ecosystem and begin crafting action plans to address them.

Registration

Those wishing to attend the workshop in person may register on-line. Early registration is recommended due to the limited seating at the venue.

Registration is not required for the web cast, but the web cast link will not be available until January 13^th, 2016.

Public Comments

The FDA is soliciting public comments on the topics to be covered in the workshop. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FDA-2014-N-1286). Comments will be accepted until February 22, 2016.

Commentary

The one thing that looks to be missing from this workshop is a discussion of how reported cybersecurity vulnerabilities will be related to device recalls. More on this in a later blog post.

DHS Announces ISAO Workshop

Today the DHS National Protection and Programs Directorate (NPPD) published a meeting notice in the Federal Register (80 FR 262383) for a public workshop on June 9^th, 2015 in Cambridge, MA. The workshop will address automated indicator sharing and analysis by Information Sharing and Analysis Organizations (ISAO).

This is part of the DHS program (initiated by EO 13691; Promoting Private Sector Cybersecurity Information Sharing) to expand access to threat sharing information to companies that do not fit into the existing structure of sector based Information Sharing and Analysis Centers (ISACS).

The formal agenda will be published on the ISAO web site at some unspecified future date.

Public participation is being solicited by NPPD. Advanced registration is recommended and may be accomplished on the RSVP page. The registration is a tad bit more complicated than normal as you have to register for the overall workshop and then for the individual sessions and tracks in which you wish to participate. There are only 352 workshop registrations remaining (as of 7:30 am CDT) and only 25 registrations remaining for the “Automated Indicator Sharing Requirements” track, so early registrations seems to be indicated.

NPPD has provided for public comments to be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2015-0017). Comments should be submitted by July 8^th, 2015.

PHMSA Safety Management Systems Workshop

The Pipeline and Hazardous Material Safety Administration (PHMSA) published a meeting notice in today’s Federal Register (79 FR 8241-8242)  for a one day workshop to discuss a rapidly evolving safety management system (SMS) national consensus standard. The public workshop will be held on February 27^th, 2014 in Arlington, VA and will include an interactive web cast.

This workshop is targeted at the energy pipeline community. There will be four panels that will present their experience with SMS from industries outside the energy pipeline world including aviation, chemical, nuclear, and health care. The panels will address:

• The role and value of SMS;

• The role of leadership at the top through the lower ranks in making SMS work;

• The value of "safety assurance"; and

• The growing recognition of the role of safety culture in ensuring attainment of key safety objectives.

The workshop web site includes a link for on-line reservations for attending in person or participating in the web cast. Attendees and web cast participants will be able to ask questions of the panels.

Copies of the presentations will be posted to the Docket on the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2014-0014). Public comments may also be posted to this docket through April 14^th, 2014.

NOTE: This sounds like the same safety program that the Chemical Safety Board Staff recommended adoption of in both the Chevron and Tesoro refinery investigations.