A new edition of the NIST Cybersecurity Framework is nearing completion and the public has until April 10 to submit comments on proposed changes to the document, which has proved surprisingly adaptable since its publication in 2014.
The Framework for Improving Critical Infrastructure Cybersecurity has become a good example of the old adage about not letting the perfect become the enemy of the good. Nobody thought it was perfect when it came out. It is a high level document offering standards and best practices without prescribing specific actions or controls. But it is the product of collaboration among government and private sector stakeholders, and just about everyone agrees it is—at the least—a good start.
As its full title implies, the framework originally was intended for the nation’s critical infrastructure, which is primarily in the private sector. But it has seen widespread adoption outside of critical infrastructure, and a recent draft of a proposed presidential executive order would mandate use of the Framework for managing cyber risk by federal agencies.
The Framework works because it is not too specific. Although the details of implementing cybersecurity will differ from one organization to another, “Cybersecurity doesn’t really vary much at its most critical level,” said Steven Grossman, VP of strategy and enablement at Bay Dynamics. The Framework establishes a widely applicable baseline, allowing each organization to work out the details of risk assessment and the elimination, mitigation or appropriate acceptance of risk.
It was intended from the beginning to be a living document, and the proposed version 1.1, released in January, contains changes in three major areas:
• A new section on cybersecurity measurement with metrics to correlate cybersecurity with business results,
• An expanded section on applying the Framework to supply chain risk management, and
• Refinements in Identity Management and Access Control covering the entire identity and credentialing lifecycle.
The revised document still is not perfect, Grossman said. He would like to see more detail and prescriptive language (Although “not too prescriptive—it’s always a balance.”), and more specifics on implementing the Framework. He also would like metrics for measuring business outcomes to be better defined.
“The effect of cybersecurity outcomes on a business objective may often be unclear,” the Framework says. But cybersecurity is an important activity for any organization, and “even when cost effectiveness or the effect of cybersecurity outcomes on a business objective are unclear, organizations should exercise prudence when modifying their cybersecurity program.”
This is true, Grossman says, but not as helpful as it could be. But this revision is not the end of the Framework’s evolution. “It can only continue to improve and get better,” he said.
NIST is seeking comments on additional topics that could be covered in the final revision, the impact of changes on the cybersecurity ecosystem and how they will affect users, and additional topics that should be added to the Framework’s roadmap for future consideration.
Feedback and comments should be sent to cyberframework@nist.gov by April 10.