Now two years old, NIST’s Framework for Improving Critical Infrastructure Cybersecurity has been well received by both industry and government agencies as guidance for improving the nation’s cybersecurity. But it is a work in progress, and the old issue of information sharing remains a challenge as the framework’s next steps are being considered.
Everyone agrees—and has agreed for years—that sharing information about cyberthreats, best practices, failures and successes is essential. But concerns about competition and liability continue to inhibit sharing among companies and between the public and private sectors, according to the National Institute for Standards and Technology (NIST).
A request for comments on the future of the framework was issued in December. NIST released an analysis of more than 100 responses this week. A workshop on the framework is being held next month.
The Cybersecurity Framework, published in February 2014, is a voluntary set of standards, guidelines and best practices developed in collaboration with public and private sector stakeholders. It is intended to provide high-level voluntary guidance to owners and operators of critical infrastructure, from power grids and transportation systems to financial services. Since its release it has seen wide adoption by industry and government, but developers want to increase awareness, both in this country and globally.
Although it is intended to be a living document, the framework has remained in version 1 since its release. If, when and how frequently it should be updated is one of the questions being addressed at the workshop. Suggestions on this range from “don’t change it yet,” to “no more than once a year” and “keep it continuously evolving.”
Interestingly—given the usual antipathy of industry for government—users are generally happy to date with NIST’s role in creating and overseeing the document. Although governance might eventually be turned over to a neutral, non-governmental third party, just about everyone seems to agree that NIST should continue its role for now. This speaks well of the agency’s reputation as a non-regulatory consensus builder. No organization has ever had a NIST auditor show up at its doors or has been fined by NIST.
“Given the competence demonstrated throughout the effort and the proven ability to bring a broad array of stakeholders to the table, it would be premature at this time to transfer responsibilities to the private sector,” one commenter wrote.
But, “The future success of the Framework will depend in large part on the extent to which individual enterprises share their experiences and learn from the experience of others,” another wrote. And that is a challenge.
Because the framework is a high-level document meant to be applicable to organizations of any size in any industry sector, it contains few details on implementation. Users are looking for real-world information to guide them.
Unfortunately, “There is no method or means to communicate how or why the Framework ‘works’ in real life to better the cybersecurity posture of a particular company,” one commenter wrote. But liability and competition in the private sector are incentives for keeping this type of information proprietary.
“In a competitive market there is often little incentive for firms to share their best practices with other firms,” one comment says. “The lack of safe harbor provisions for best practice implementation and good faith efforts has also led to a mentality among healthcare providers that has paralyzed them with fear and given the variety of interpretations to the NIST framework by regulatory agencies; the risk of not moving forward is less than the risk of potential misstep,” said another.
But NIST cannot provide such a safe harbor; that would be the job of Congress. And each company will have to decide for itself whether the benefits of better collective cybersecurity trump competitive advantage.
These challenges will be on the agenda at the workshop being held April 6 and 7 at NIST headquarter in Gaithersburg, Md. Registration closes March 30. More information is available online.