NIST Forges Ahead With Critical Infrastructure Security Plan
NIST will be soliciting comments on its preliminary cybersecurity framework designed to protect critical infrastructure in the U.S., but critics view 45 days for feedback as inadequate. A short review process could see "a few vocal feedback providers ... trying to stack the deck," said Tripwire CTO Dwayne Melancon. "This sort of process generally does not lend itself to the best outcome."
10/23/13 4:14 PM PT
The Institute will soon open a 45-day public comment period on the framework, seeking input from reviewers on a series of questions. The dates will be announced in the Federal Register.
Commenters can email responses in Microsoft Word or Excel formats to firstname.lastname@example.org or send them through the mail to the Information Technology Laboratory, ATTN: Adam Sedgewick, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930.
All comments will be posted online without change or redaction.
"The 45 days for review is adequate if people take it seriously and NIST incorporates their feedback into multiple rounds of edits," Ken Pickering, director of engineering at Core Security, told TechNewsWorld.
What the Framework Is About
The framework is a risk-based approach consisting of the core, the profile and the implementation tiers.
Its core is a set of standards and best practices that are common across critical infrastructure sectors organized around particular outcomes.
The core consists of five functions: Identify, Protect, Detect, Respond and Recover. It identifies key underlying categories and subcategories for each of the functions and matches them with examples of references such as existing standards, guidelines and practices.
Framework profiles are outcomes that systems or organizations have achieved or are expected to achieve as specified in the categories and subcategories.
The implementation tiers describe how an organization manages cybersecurity risk. They look at an organization's current risk management practices, the threat environment, legal and regulatory requirements, business and mission objectives, and organizational constraints.
There are four tiers, ranging from partial to adaptive and progressing from informal, reactive implementations to risk-informed, agile approaches.
NIST plans to release the official framework in February 2014 as called for in the presidential executive order.
There is some dispute about whether NIST has allotted sufficient time to adequately assess and review comments.
"I do have concerns about the short timeline for feedback," Dwayne Melancon, chief technology officer for Tripwire, told TechNewsWorld. "These kinds of frameworks are very complex, and gathering feedback in isolated pockets can be a problem."
A short, silo-oriented review process could see "a few vocal feedback providers, most likely vendors or systems integrators, trying to stack the deck by providing a lot of input," Melancon continued. "This sort of process generally does not lend itself to the best outcome."
However, "NIST had already obtained a wide range of industry comments in the process of conducting workshops on the framework and had issued a discussion draft in August that provided an overview of the draft issued [on Wednesday]," Gerald Ferguson, co-leader of the privacy and data protection group at law firm BakerHostetler, told TechNewsWorld.
Do It if You Wanna
The framework is voluntary, which might be cause for concern.
"If it's voluntary, it won't make much headway," Core's Pickering pointed out. "It's not like security teams will be given more budgets to comply with a voluntary NIST standard."
There are already plenty of guides and best practices to enhancing cybersecurity. "It all comes down to resources and the level of security that companies are required by law to give their users," he said.
"As long as everything is voluntary and we continue not to take security seriously as a security, or there aren't real penalties to a lack of security when protecting the personally identifiable information of your users, I doubt there will ever be a meaningful impact anyway."
Another Victim of the Budget Crisis
"NIST had intended to release the framework on Oct. 10," NIST spokesperson Jennifer Huergo told TechNewsWorld. "However, the federal government was shut down from Oct. 1 through Oct. 16."
The delay should have no impact on the overall schedule for delivery, she added.
Still, the fact that political issues can sideline a project of such importance to the nation's security might be a cause for concern.