NIST's latest cybersecurity framework reveals a lot of goodwill amidst continued criticism

After implementing changes based on feedback, NIST's latest version of framework receives praise

After delays due to the government shutdown, the National Institute of Standards and Technology (NIST) released on October 22 its latest version of a comprehensive cybersecurity framework for critical infrastructure as mandated by President Obama's February cybersecurity executive order (EO). This preliminary framework is subject to a 45-day public comment period, after which NIST will make revisions and then produce a final framework for publication in February.

[Major changes ahead as NIST cybersecurity framework nears October publication]

Based on feedback received before, during and after a September workshop in Dallas, the fourth such meeting since the framework process kicked off in February, NIST incorporated a number of changes into the framework documents and introduced an additional document that offers an alternative mapping of key standards and reference materials used in the framework. The framework consists of five functions, twenty-two categories, ninety-seven subcategories and hundreds of informative standards and references.

Chief among the extensive changes is the introduction of a detailed methodology to protect privacy and civil liberties, modeled on the Fair Information Practice Principles (FIPPs) referenced in the Executive Order, which also stipulates that the framework should incorporate methodologies to mitigate any impact the framework might have on privacy and civil liberty. Another notable addition, in the areas for further improvement of the framework, is a discussion of the need for a skilled cybersecurity workforce.

Because this version of the framework is the first "official" unveiling of NIST's effort to date, meeting a mandatory milestone in the EO through publication of the preliminary framework in the Federal Register, many trade associations, industry groups and corporations publicly lauded the government group's efforts, with most adopting a wait-and-see attitude before embracing the actual framework itself. "We appreciate the collaborative efforts led by Patrick Gallagher and NIST which sought significant input from many public and private stakeholders across the 16 critical infrastructure sectors," the National Cable & Telecommunications Association said in a statement.

"TIA applauds NIST and Director Gallagher for their commitment to fulfill the President's goals in his February 2013-issued Executive Order to strengthen the nation's resilience to cybersecurity vulnerabilities," Grant Seiffert, President of the Telecommunications Industry Association said.

[NIST denies NSA tampering with encryption standards]

McAfee Federal Director Tom Conway, meanwhile, released a statement that did actually praise the framework itself. "One of the great things about the NIST Preliminary Cybersecurity Framework is that it reflects a true public-private collaboration," he said. "There's been a lot of talk about public-private partnership in cyber security, but this framework goes beyond rhetoric: it's the real deal."

Although most of these positive statements reflect typical political posturing to ensure continued key player status in Washington, they nonetheless also reflect the genuine goodwill among the hundreds of participants who have gathered together four times (with a fifth meeting scheduled in November) for mostly multi-day intensive meetings to help NIST hammer out the framework. The noted sense of collaboration and community, and the willingness of NIST to deal with and incorporate often fractious feedback, is the signal achievement of the framework process, many participants said.

[NIST subjects draft cybersecurity framework to more public scrutiny]

"Now what we've developed is a framework for people working together," Jack Whitsitt, Principal Analyst for energy industry cybersecurity consortium EnergySec said. "Industry was wildly supportive, they showed up and gave input and their input was accepted. That's phenomenal."

"NIST has been trustworthy," according to one chief security officer involved in the process, who noted that the latest version of the framework goes a long way to correcting some of the problems he flagged. "The venues for the community to collaborate and talk with each other" for the common good has been one of the most positive aspects of the framework's development, he said.

Even so, the latest version of the framework itself still falls short of offering a viable means for effectively improving cybersecurity practices, many participants said. "Actually reducing cybersecurity risks has not been part of the conversation" Whitsitt said. "We shouldn't lose sight that we haven't worked on the problem of effectiveness."

One continued prominent problem with the framework, which many participants have discussed throughout the process, is that it lacks clear guidance as to what actually constitutes adoption of the framework. "I still don't know what it means to adopt the framework," Larry Clinton, head of the Internet Security Alliance said. Without a clear definition of what adoption means, the framework could be relatively toothless, leaving it up to individual organizations to simply assert adoption without any means of assessing whether they have.

Another central issue that hasn't been resolved is the lack of prioritization, particularly for small and mid-sized firms unversed in the complex lingo of cybersecurity practices. "It doesn't help people put [things] in useful order," Whitsitt said.

[Vulnerability database hack highlights need to bolster cybersecurity]

Clinton also said that the framework still misses the mark in terms of meeting the EO's requirements that the framework provide a cost-effective approach. "They seem to be affirmatively walking away from the very specific order that the framework be prioritized and that it be cost-effective. It's probably one of the things most needed by their target audience. The question is where do I spend it? Where do I get the best bang for the buck?"

Another chief ongoing concern is the degree to which the framework might become mandatory for many critical infrastructure sectors through regulatory maneuvers. Although the EO stipulates that the framework is voluntary, it also requires relevant federal agencies to submit a report to the President stating whether they have clear authority to establish requirements based on the framework.

That report is due within 90 days of October 22, the date when NIST published its latest version, or on January 20, 2014, closely before NIST finalizes the framework. The original deadline for publication of the final framework prior to the government shutdown was February 12, 2014, a deadline that NIST is still hoping to meet despite the delay.

[NIST cybersecurity framework proposal provides 'no measurable cybersecurity assurance']

Many of these and other concerns will be subject to further debate and discussion as the framework continues to evolve before the February deadline and, quite likely, beyond that deadline. NIST plans to further refine the framework through the upcoming workshop in North Carolina and after receiving the public comments.

"There's no magic bullet here and making progress will require sustained engagement," Adam Sedgewick, the chief organizer of the framework at NIST said. "We have a lot of work to do until February with receiving and adjudicating comments, and I think our role will evolve a bit at that point. That will include thinking about the next version of the Framework, how to support future R&D and standards needs--including the areas for improvement in the framework--conformity assessment, and rolling out framework maintenance to the private sector."

Cynthia Brumfield, President of DCT Associates, is a veteran communications industry and technology analyst. She is currently leading a variety of research, analysis, consulting and publishing initiatives, with a particular focus on cybersecurity issues in the energy and telecom arenas.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Institute of Standards and Technologysecuritygovernment

More about DCTInternet Security AllianceMcAfee AustraliaNSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Cynthia Brumfield

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place