The National Institute of Standards and Technology (NIST) released on August 28 a more complete discussion draft of the preliminary cybersecurity framework that the government group has been developing pursuant to White House Executive Order (EO) 13636, which President Obama signed in February. This voluntary framework is intended to serve as a fundamental guide for critical infrastructure owners and operators to develop and manage cybersecurity risk programs, although NIST hopes that the framework will be adopted by all organizations regardless of size or business activity.
The August 28 draft comes on the heels of three intensive workshops held across the country, mostly multi-day meetings that were attended by hundreds of cybersecurity, government, and public policy professionals. The draft further reflects a round of formal public comments solicited by NIST during which it received thousands of pages of feedback on how the framework should be structured. One final NIST workshop will be hosted in Dallas starting on September 11 and will end less than a month before the October 10 deadline for publishing the draft framework in the Federal Register, as required under the EO. The final framework must be completed by February 2014.
Given the extremely tight schedule, the final workshop in Dallas is the last, best shot for making fundamental changes to the framework, which has turned into an ambitious first-time effort by the federal government to develop a comprehensive roadmap for ensuring greater security in the cyber realm. The draft released on August 28th is the second version of the framework and features more detailed information on its core (which encompasses the five basic security elements of identify, protect, detect, respond, and recover and covers multiple categories, subcategories, and informative reference standards). The draft also covers guidance on implementation tiers (which reflects a progressive scale from partial through adaptive), how to develop a framework profile, and advice on establishing or improving a cybersecurity program.
NIST also introduced two new subject matters for discussion: areas for further improvement, where new or revised standards are needed, and an appendix that spells out a broad and relatively generic methodology to protect privacy and civil liberties, a topic mandated by the EO.
While NIST is open to further changes, saying that work will continue on the framework through February — particularly in the areas where gaps still exist and further improvement is needed — the framework is fairly well solidified in its basic structure. While most cybersecurity professionals involved in the process say that NIST made some distinct improvements between the first and second drafts, many say that the emerged framework has some problems.
"I can't think of a single nice thing to say about it," Jack Whitsitt, Principal Analyst for energy sector cybersecurity consortium EnergySec, said. "It does not make the problem simpler. It does not arrange the problem in a new or interesting or helpful way. It doesn't reduce the problem in any way. It doesn't help in making any decisions."
Whitsitt's contention, echoed by some other cybersecurity practitioners, is that the framework does very little to actually strengthen cybersecurity efforts despite the fact that it is based on existing practices and standards.
"All the individual pieces [of the framework] are valid," he said. "[But] the problem hasn't ever been that there isn't a list somewhere of things that should be done. We have lists everywhere of what should be done...this is just a different way of organizing it without getting any value out of it."
Other participants in the NIST process aren't quite as stark in their assessment, but nonetheless say many parts of the framework remain confusing.
"There is still a lot of uncertainty," one telecom industry participant said. "The biggest concern is that there is no clarity as to what constitutes adoption. Without knowing what constitutes adoption, companies are going to be hesitant to adopt the framework," he added, noting that NIST does not specify which parts of the framework, or how much of the framework, an organization must follow in order to be classified as "adopting" the framework.
Adam Sedgewick, one of the key organizers of the framework process at NIST, said that NIST doesn't plan to define what constitutes adoption of the framework. "It's a voluntary framework and we hope that there is broad applicability and people will pick it up and use it," he said.
Another big concern among some telecom players is the maturity model nature of the framework. "When you think of mid companies or below that haven't worked with maturity models, those guys are going to be completely floundering in terms of what those different tiers mean," the same telecom participant said. "Is the expectation over time that they will move from the lower tiers to the higher tiers irrespective of their business model or their size?"
Washington representatives of various critical infrastructure providers tend to be more supportive of the current framework, at least publically. "They're headed in the right direction," Nathan Mitchell, Director of Electric Reliability Standards and Compliance for the American Public Power Association, said. "They need to clarify what they have as tiers and what those tiers mean. There is a lot more defining all of that and getting the words on paper."
But, everybody admits that the clock is ticking loudly and that any further major changes in the framework will require extraordinary effort. "The hard thing is getting that all done by October," Mitchell said. "I can't say that it's not going to happen, it just seems like a stretch."
Cynthia Brumfield, President of DCT Associates (www.dct-associates.com), is a veteran communications industry and technology analyst. She is currently leading a variety of research, analysis, consulting and publishing initiatives, with a particular focus on cybersecurity issues in the energy and telecom arenas.