Major changes ahead as NIST cybersecurity framework nears October publication

Last week, the National Institute of Standards and Technology (NIST) hosted in Dallas the fourth workshop on the critical infrastructure cybersecurity framework mandated by President Obama’s February cybersecurity executive order (EO). The EO requires NIST to publish the ambitious framework in preliminary form for public comment in the Federal Register by October 10. The framework must be published in final form by February 2014.

Headed into the workshop in Dallas, NIST issued a second, more detailed version of the draft framework, which the hundreds of attendees discussed across six working groups and six topic specific working sessions. NIST also hosted plenary sessions with government and industry speakers addressing a number of topics, including the threat environment for critical infrastructure, the state of the cybersecurity insurance market and implementation of the framework by various sectors.

Most of the workshop attendees praised NIST’s efforts to incorporate feedback into this latest version, while also raising a number of concerns over the scope, utility and clarity of the complex undertaking. “I will say I believe the framework is coming along nicely, the NIST folks have been very receptive to industry’s input and I believe there will be time to comment before it is final release in February,” said a telecom industry source. “The really difficult part will be in getting all organizations to accept and use it. I see that as a big challenge.”

Timing is one of the key concerns given that NIST only began work in February and has just a few weeks to turn around another draft version of the framework to meet the October 10 deadline. “Eight months by some measures is impossibly fast,” Patrick Gallagher, Director of NIST, said. “It was obviously extremely aggressive [but] I’m really happy with the progress to this point.”

Few areas of true consensus emerged among the key players in the process, although one point of agreement among most is that NIST still has substantial work ahead if it wants to produce a useful framework that applies across all sixteen critical infrastructure sectors. “The sense I had coming out of the meeting in Dallas is that there was much greater awareness by NIST that there was a lot more work that needed to be done on the framework,” Larry Clinton, President of the Internet Security Alliance, said. “I’m more hopeful that we will see a lot more work by NIST before the framework comes out in October.”

The framework, which covers five functions and around 21 categories, 90 subcategories, as well as hundreds of standards, is perhaps still overly complex, most agree. “If the framework makes security harder and more complex, nobody will adopt it,” Clinton said. “I think what we currently have is tilted to the harder and more complex.”

One telecom industry cybersecurity specialist said, “They’ve thrown a lot up against the wall and I think one of the things that has come out loud and clear is that it’s too long.” The intricate nature of the framework may prove to be particularly problematic for smaller organizations, a potential problem which NIST plans to address as it continues to refine the framework.

“One of the things we heard in Dallas is that people said we’re not interested in major critical infrastructure [because they already have complex cybersecurity systems in place], we’re interested in smaller and mid-sized players,” the same telecom specialist said. “If you shift down to those smaller organizations they will have a difficult time even understanding this.”

NIST Cybersecurity Framework proposal provides ‘no measurable cybersecurity assurance’]

Yet another area of consensus is that NIST does not yet provide any guidance as to what constitutes adoption of the framework, potentially leaving it up to organizations to figure that out by themselves or simply self-certify and assert adoption of the framework, which would undercut any true cybersecurity benefits.

A related concern is that the framework does not acknowledge that the levels or tiers of adoption could and perhaps should vary significantly across organizations that are involved in diverse businesses or have diverse customers. “If we provide circuits into the Pentagon, we are going to make sure those things are tight,” one telecom industry representative said. “But if we want to build a circuit into an apartment complex, we’re going to do things differently.”

“We will continue to talk about adoption but this is really a set of toolboxes — it’s not one size fits all so adoption will vary,” Adam Sedgewick, one of NIST’s principal framework organizers, said. “We expect organizations will adopt it in different ways.”

Some of the harshest assessments of the framework flow from cybersecurity specialists steeped in their disciplines and typically responsible for the day-to-day oversight of cybersecurity systems. “Our industry keeps fracturing security standards,” one chief information risk officer for a major financial institution said, referring to the multiplicity of frameworks that his and other organizations are currently attempting to follow. “The NIST framework is just another fracture. This is just another layer and it will create more work.”

Some of the most positive assessments of the framework come from consulting firms and cybersecurity vendors, a fact warily noted by many of the critical infrastructure industry representatives. “The framework comes out and organizations say ‘my god, how do I figure it out,'” one participant said. “Then Booz Allen says, ‘let us figure it out for you.’ They have a different perspective as clearly a vendor in the space.”

A host of other issues were raised during the workshop, including whether NIST should tailor the framework further for each of the critical infrastructure sectors, taking into account the divergent nature of those sectors. NIST representatives say they’re ready to continue collaborating with sector representatives to develop the framework further.

The October 10th publication kicks off a 45-day comment period and will be followed by an additional, previously unscheduled workshop in November. NIST will continue to engage in stakeholder outreach and develop plans for the maintenance and updating of the framework past the final publication in February.

NIST views the framework as an ongoing process rather than a solidified document. “In my view the framework is never finished,” NIST’s Gallagher said.

Cynthia Brumfield, President of DCT Associates https://www.dct-associates.com, is a veteran communications industry and technology analyst. She is currently leading a variety of research, analysis, consulting and publishing initiatives, with a particular focus on cybersecurity issues in the energy and telecom arenas.