The National Institute of Science and Technology (NIST) has reviewed community assessments of the two-year-old Framework for Improving Critical Infrastructure Cybersecurity, and expects the first revision of the document to be available for comment early next year.
NIST calls the revision a “minor update” that will refine and clarify a few points and should have little impact on organizations already using the framework.
The tune-up is the result of more than 100 written comments and of a public workshop attended by 800 participants held earlier this year. The framework has received mostly positive reviews and has seen widespread use in both the private sector and in government as a tool for coordinating cybersecurity at a high level and in communicating cybersecurity requirements between vendors, service providers, and partners. Commenters called for few immediate changes, but the task of sharing cybersecurity information remains a challenge.
“A general concern . . . was that publicly sharing current practices might embolden adversaries and provide potential intelligence gathering opportunities for cyberattack,” NIST wrote in its assessment of comments. “Some workshop participants felt that providing best practices would put their organization at a competitive disadvantage by increasing liability, specifically regarding customer/vendor non-disclosure agreements, while others reported they had no such concerns.”
Some participants also were concerned that performing self-assessments under the framework might raise liability exposure, but there was no consensus on this topic.
The framework is voluntary guidance released by NIST in February 2014 the help address cyberthreats to the nation’s privately owned and operated critical infrastructures. It is intended to be a living document that will be regularly reviewed and updated and is based on industry and government standards and best practices. It is divided into three parts:
• The Framework Core, a template of activities and outcomes that can be used with existing standards to develop individual organizational Profiles;
• The Framework Profile helps organizations align their cybersecurity activities with business requirements, risk tolerances, and resources; and
• Framework Implementation Tiers that rate the organization’s cybersecurity status according to levels of maturity.
Despite the general antipathy of industry for government, users are generally happy with NIST’s stewardship of the framework, and want the institute to continue in its role of bringing together stakeholders and maintaining the document. While NIST makes minor updates to the framework, it recommended actions that also could be taken by stakeholders using the document:
• Customize the framework for specific sectors, identifying elements that are more or less applicable and prioritizing them based on the sector’s needs.
• Publish a sector profile or relevant “crosswalk.” Mapping important legislation, regulation, or guidelines to Framework Categories or Subcategories are considered a crosswalk and can help reconcile requirements within a Profile.
• Advocate for the framework within and among sectors. The larger the user community, the more useful the framework will be.
• Publish “summaries of use” or case studies of framework implementation. The entire ecosystem will benefit from your confirmation of framework use.
• Share your framework resources with NIST. The NIST team benefits greatly from understanding resources.