Industry Stakeholders Tell NIST Not To Pursue Major Revamp of Cybersecurity Framework
The National Institute of Standards and Technology should concentrate on improving its existing Cybersecurity Framework rather than make any move toward developing an entirely new iteration of the framework, cybersecurity stakeholders said in filings. NIST had been seeking comments on how entities are using the existing framework, which the agency released in 2014, and whether a full update is needed. Communications and tech sector stakeholders were particularly supportive of the existing NIST framework, confirming NIST officials' earlier assessment that stakeholders didn't view a full framework update as necessary (see 1602180068). However, many stakeholders said the NIST framework's implementation tiers guidance hasn't worked as planned, and several suggested NIST remove them from the framework.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Microsoft urged NIST to prioritize updating the framework “to foster greater usability both within and between organizations,” particularly by providing “greater clarity around the distinctions between” the existing implementation tiers that indicate the degree to which a particular entity is using the NIST framework's best practices. The existing tiers “are challenging to use because much of the text that differentiates between them creates overlapping metrics, necessitating subjective judgments,” Microsoft commented. The company urged NIST to develop guidance for framework use that “clarifies the intent and context behind” the framework's best practices categories and subcategories since such guidance “could help organizations focus on security outcomes rather than on controls implementations.”
Intel cautioned NIST against making major updates to the framework, noting that many entities are still “at the preliminary stages of framework understanding.” Still, Intel said the NIST framework “needs to incorporate threat lifecycle categories and subcategories” into its best practices core document. NIST also needs to modify the existing implementation tier definition, “for an organization to properly evaluate itself,” Intel commented. Although a wholesale framework update shouldn't be on NIST's radar in the near future, it would still be “very important for the next version of the framework to have active participation from our partners across the globe if it is to be applicable and gain acceptance in other parts of the world,” Intel said.
The Telecommunications Industry Association and members “strongly believe it would be premature for NIST to pursue significant updates to the methodology and approaches outlined in the Framework,” TIA commented. NIST “should be continuing to use the Framework to reinforce the idea that voluntary, process-oriented guidelines, developed with industry’s input, of the kind embedded in the Framework is superior to mandated cybersecurity standards,” TIA said. "NIST should work on promoting the elements of the Framework domestically, with civil agencies at the Federal and state levels, as well as on the international front.”
CTIA believes any substantial revisions to the framework “would be disruptive in this initial stage of implementation, as practices still are being mapped to it and it is being used to create additional guidance and training,” the industry group commented. Minor “course corrections” may be needed, including removing elements of the framework “that have proven less effective,” CTIA said. Some CTIA members “have found that the existing implementation tiers “are not particularly useful,” the association said: “If this experience is shared in other sectors, NIST might consider deleting” the tiers entirely.
NCTA members have also found that the implementation tiers “have not proven useful,” the cable association commented. The tiers “do not reflect modern best practices used by our member companies in their technology development programs,” NCTA said. “The tiers concept in the Framework is based upon the capability maturity model previously used for software and product development. Capability maturity models have proven to be too structured and rigid for areas such as software development and cybersecurity that are constantly evolving."
USTelecom said any updates to the Cybersecurity Framework should focus on “consensus-based gaps,” noting that its members want the framework to “evolve in ways that enhance its usability and effectiveness.” NIST doesn't need to “convene the type of effort that was required' to develop the original framework, USTelecom commented. One of USTelecom's members said NIST “should focus on risk management approaches that have the most bang for the buck and have broad support across industry and government,” the industry group said.
The Information Technology Industry Council recommended that NIST refine the Cybersecurity Framework to make it “a more valuable tool to a broader array of organizations,” including an expansion of the definitions included in the implementation tiers to include “additional detail and usage notes.” NIST should also review and update the cyber risk management standards references used in the framework “on a periodic basis,” ITI commented. Only “informative references that comprise consensus-based, industry-led international standards and best practices should be considered for inclusion” in future NIST framework updates, ITI said.