NIST, Stakeholders Work on Cybersecurity Framework Update Amid Outside Events
Cybersecurity stakeholders kicked off two days of workshops on the National Institute of Standards and Technology's proposed v1.1 update to the cybersecurity framework, acknowledging cyber incidents and a cybersecurity executive order from President Donald Trump loomed. NIST's update, announced in January, included metrics language aimed at starting a conversation on how to effectively measure use of the framework (see 1701100084). Stakeholders urged the agency last month to be cautious about its final language on benchmarks and emphasized the need for the private sector to continue to be the primary driver of updates (see 1704110045).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
NIST Framework Program Manager Matthew Barrett urged stakeholders Tuesday to carefully consider during the workshops whether to urge the agency to move forward with finalizing the v1.1 update, also noting the agency will need to decide whether a full-scale overhaul of the framework will be needed later. Barrett acknowledged stakeholder concerns about the original language on metrics in the v1.1 proposal, saying he wanted to be clear that NIST only wanted to explore metrics for giving users a tool for self-assessment rather than as a means for future regulatory compliance. An initial NIST analysis of comments, released Monday, noted a thread of calls for caution on metrics development, including suggestions the agency prioritize outcome-based metrics over quantitative ones. The analysis shows the agency “got the message” the communications sector sent on metrics, said Wiley Rein telecom and cybersecurity lawyer Megan Brown.
Barrett said the framework's main audience remains the private sector even as the EO shows the administration views the document as “part of the solution” for the federal government's cybersecurity issues. The order, released last week, directed the Office of Management and Budget and the Department of Homeland Security to assess all federal agencies' cybersecurity risks and required agencies to manage their risk using the NIST framework (see 1705110058).
Barrett acknowledged the simultaneously “unfortunate” and “good” timing of the workshop days after the start of the global Wannacry ransomware attack (see 1705160038, 1705150008 and 1705120055). Wannacry, which the healthcare sector is grappling with, underscores that the sector faces cyber challenges not only from regular cybercriminals but also nation-state actors, said Pennsylvania State University Hershey Medical Center Cyber Security Program Director Matthew Snyder.
Rapid7 Director-Public Policy Harley Geiger and others emphasized ways NIST can incorporate updates to the framework aimed at metrics and other issues without substantially disrupting the document's core and other elements. Geiger was among those urging the agency to work on ways to clearly indicate how the framework applies to all stakeholders since the original document was specifically aimed at critical infrastructure sectors. President Barack Obama's 2013 cybersecurity EO, which tasked NIST with leading the framework's development, was aimed at protecting critical infrastructure sectors (see report in the Feb. 14, 2013, issue).
NIST should more explicitly mention vulnerability disclosures in the framework core even though it's technically already mentioned among the document's subcategories, Geiger said. Such a revision wouldn't require major changes, he said. Geiger sought more subtle mentions of cybersecurity management along the supply chain within the existing framework rather than creating a separate section. Any guidance NIST issues on supply chain cybersecurity should clarify what share of responsibility for risk management exists at different levels, said Amazon Web Services Chief Information Security Officer Jennifer Gray. Geiger and Gray noted NIST's metrics work is still fairly nascent.