NIST Cybersecurity Framework Still Gets Mixed Grade from Stakeholders
The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework still has a mixed legacy for the critical infrastructure sectors to which it was targeted, more than six months after the agency released the framework’s “Version 1.0,” industry participants said Wednesday during a joint Industrial Control System Information Sharing and Analysis Center (ICS-ISAC)-DCT Associates webinar. NIST released the Version 1.0 framework in mid-February, simultaneous with the start of the Department of Homeland Security’s (DHS) voluntary Critical Infrastructure Cybersecurity Community (C3) program to encourage industry use of the framework (CD Feb 13 p5).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
NIST is continuing to work with industry and government stakeholders to revise the framework and plans to soon issue a formal request for information (RFI) seeking feedback on stakeholders’ experiences using the framework, said DCT Associates President Cynthia Brumfield. The agency said it also plans a workshop Oct. 29-30 at the University of South Florida’s Florida Center for Cybersecurity to collect feedback on the framework. Brumfield encouraged stakeholders to submit comments to the RFI, saying the agency is seeking a “healthy debate” on the framework.
The NIST framework “is not a bad outcome” for federal involvement in cybersecurity, given the more regulatory approaches previously proposed through legislation like the Cybersecurity Act of 2012, said Chris Blask, chairman of the ICS-ISAC board. President Barack Obama’s cybersecurity executive order, which directed NIST to work with industry to develop the Cybersecurity Framework, has focused on encouraging critical infrastructure sectors to voluntarily take steps resulting in a more secure infrastructure, which has also meant corporate boards are paying more attention to cybersecurity, Blask said. The framework itself is a “reasonable Physician’s Desk Reference” for organizations to use as they make cyber-risk management plans, he said.
Perry Pederson, co-founder of The Langner Group cybersecurity firm, said the framework is at best a “baby step on a very long journey,” but generally falls far short of what’s necessary to aid critical infrastructure owners and operators. He faulted the framework’s reliance on what he called “business-friendly” language suggested by industry that allows a company to do a minimal amount of work “and still claim that I'm compliant,” adding that it was unreasonable to assume a company would do more than the minimum. The NIST framework is also flawed because it doesn’t adequately explain how a company should implement suggested activities, placing too much of the burden on the end user.
Jaap Schekkerman, CGI Group director-global cybersecurity, said he believes NIST’s initiative to develop the framework was a good idea but he remains concerned that the framework doesn’t include enough related documentation to make it an effective tool for companies that don’t have some existing cybersecurity risk management policies. The NIST framework only sets up a “governance environment” in which risk management planning can occur, but that planning requires a company to already have a set of risk management requirements and cybersecurity references that planners can refer to, he said. “I don’t see how you can use this framework in real life."
Greg Witte, cybersecurity firm G2’s program manager-security standards, defended the NIST framework’s approach as a starting point that “wasn’t meant to be a specific technical framework.” The NIST framework does repeatedly reference outside technical standards from the Council on CyberSecurity and ISACA (formerly the Information Systems Audit and Control Association), joint standards from the International Organization for Standardization and International Electrotechnical Commission, and internal NIST standards. Because the NIST framework and the associated C3 program are completely voluntary, “we shouldn’t be directing people” to take specific actions, Witte said. “It’s helping them to decide how to prioritize.”