After delays due to the government shutdown, the National Institute of Standards and Technology (NIST) released on October 22 its latest version of a comprehensive cybersecurity framework for critical infrastructure as mandated by President Obama's February cybersecurity executive order (EO). This preliminary framework is subject to a 45-day public comment period, after which NIST will make revisions and then produce a final framework for publication in February.
Based on feedback received before, during and after a September workshop in Dallas, the fourth such meeting since the framework process kicked off in February, NIST incorporated a number of changes into the framework documents and introduced an additional document that offers an alternative mapping of key standards and reference materials used in the framework. The framework consists of five functions, twenty-two categories, ninety-seven subcategories and hundreds of informative standards and references.
Chief among the extensive changes is the introduction of a detailed methodology to protect privacy and civil liberties, modeled on the Fair Information Practice Principles (FIPPs) referenced in the Executive Order, which also stipulates that the framework should incorporate methodologies to mitigate any impact the framework might have on privacy and civil liberty. Another notable addition, in the areas for further improvement of the framework, is a discussion of the need for a skilled cybersecurity workforce.
Because this version of the framework is the first "official" unveiling of NIST's effort to date, meeting a mandatory milestone in the EO through publication of the preliminary framework in the Federal Register, many trade associations, industry groups and corporations publicly lauded the government group's efforts, with most adopting a wait-and-see attitude before embracing the actual framework itself. "We appreciate the collaborative efforts led by Patrick Gallagher and NIST which sought significant input from many public and private stakeholders across the 16 critical infrastructure sectors," the National Cable & Telecommunications Association said in a statement.
"TIA applauds NIST and Director Gallagher for their commitment to fulfill the President's goals in his February 2013-issued Executive Order to strengthen the nation's resilience to cybersecurity vulnerabilities," Grant Seiffert, President of the Telecommunications Industry Association said.
McAfee Federal Director Tom Conway, meanwhile, released a statement that did actually praise the framework itself. "One of the great things about the NIST Preliminary Cybersecurity Framework is that it reflects a true public-private collaboration," he said. "There's been a lot of talk about public-private partnership in cyber security, but this framework goes beyond rhetoric: it's the real deal."
Although most of these positive statements reflect typical political posturing to ensure continued key player status in Washington, they nonetheless also reflect the genuine goodwill among the hundreds of participants who have gathered together four times (with a fifth meeting scheduled in November) for mostly multi-day intensive meetings to help NIST hammer out the framework. The noted sense of collaboration and community, and the willingness of NIST to deal with and incorporate often fractious feedback, is the signal achievement of the framework process, many participants said.
"Now what we've developed is a framework for people working together," Jack Whitsitt, Principal Analyst for energy industry cybersecurity consortium EnergySec said. "Industry was wildly supportive, they showed up and gave input and their input was accepted. That's phenomenal."
"NIST has been trustworthy," according to one chief security officer involved in the process, who noted that the latest version of the framework goes a long way to correcting some of the problems he flagged. "The venues for the community to collaborate and talk with each other" for the common good has been one of the most positive aspects of the framework's development, he said.
Even so, the latest version of the framework itself still falls short of offering a viable means for effectively improving cybersecurity practices, many participants said. "Actually reducing cybersecurity risks has not been part of the conversation" Whitsitt said. "We shouldn't lose sight that we haven't worked on the problem of effectiveness."
One continued prominent problem with the framework, which many participants have discussed throughout the process, is that it lacks clear guidance as to what actually constitutes adoption of the framework. "I still don't know what it means to adopt the framework," Larry Clinton, head of the Internet Security Alliance said. Without a clear definition of what adoption means, the framework could be relatively toothless, leaving it up to individual organizations to simply assert adoption without any means of assessing whether they have.
Another central issue that hasn't been resolved is the lack of prioritization, particularly for small and mid-sized firms unversed in the complex lingo of cybersecurity practices. "It doesn't help people put [things] in useful order," Whitsitt said.
Clinton also said that the framework still misses the mark in terms of meeting the EO's requirements that the framework provide a cost-effective approach. "They seem to be affirmatively walking away from the very specific order that the framework be prioritized and that it be cost-effective. It's probably one of the things most needed by their target audience. The question is where do I spend it? Where do I get the best bang for the buck?"
Another chief ongoing concern is the degree to which the framework might become mandatory for many critical infrastructure sectors through regulatory maneuvers. Although the EO stipulates that the framework is voluntary, it also requires relevant federal agencies to submit a report to the President stating whether they have clear authority to establish requirements based on the framework.
That report is due within 90 days of October 22, the date when NIST published its latest version, or on January 20, 2014, closely before NIST finalizes the framework. The original deadline for publication of the final framework prior to the government shutdown was February 12, 2014, a deadline that NIST is still hoping to meet despite the delay.
Many of these and other concerns will be subject to further debate and discussion as the framework continues to evolve before the February deadline and, quite likely, beyond that deadline. NIST plans to further refine the framework through the upcoming workshop in North Carolina and after receiving the public comments.
"There's no magic bullet here and making progress will require sustained engagement," Adam Sedgewick, the chief organizer of the framework at NIST said. "We have a lot of work to do until February with receiving and adjudicating comments, and I think our role will evolve a bit at that point. That will include thinking about the next version of the Framework, how to support future R&D and standards needs--including the areas for improvement in the framework--conformity assessment, and rolling out framework maintenance to the private sector."
Cynthia Brumfield, President of DCT Associates, is a veteran communications industry and technology analyst. She is currently leading a variety of research, analysis, consulting and publishing initiatives, with a particular focus on cybersecurity issues in the energy and telecom arenas.