Preliminary Cybersecurity Framework Seen Likely to Be Similar to Latest Draft
The National Institute of Standards and Technology’s planned release of a preliminary version of the Cybersecurity Framework was put on hold by the government shutdown. Industry observers told us they anticipate the agency will be able to release the new version soon after it reopens after the shutdown ends. Although the shutdown furloughed all but 8 percent of NIST’s staff, the framework is seen to be one of the components of President Barack Obama’s cybersecurity executive order least affected by the shutdown (CD Oct 9 p7). The order had mandated NIST release the preliminary framework for public comment by Oct. 10. The Department of Commerce, which oversees the agency, said in a statement it will “reevaluate the release date when government operations are fully restored.” Industry observers said they anticipate the preliminary framework will not be fundamentally different from a draft NIST released prior to a framework development workshop in September.
NIST was close to making the preliminary framework available for release when the shutdown began Oct. 1, said Bob Dix, Juniper Networks vice president-government affairs and critical infrastructure protection. He said he’s “very anxious to see the next version,” given some of his concerns with the most recent draft NIST circulated (CD Aug 30 p6). “One of the challenges that NIST faces with this is that they're trying to do all things for all people around cybersecurity risk,” Dix said. “Some of us have tried to suggest that maybe there should be a narrower focus in this effort with a clear understanding of the target audience.”
The most recent framework draft tries to address both basic cybersecurity hygiene best practices and cybersecurity for industrial control systems, Dix said. If the framework focused more on “raising the bar across the stakeholder community just in fundamental basic blocking and tackling hygiene, we would create a significant deterrent for the bad guys,” he said, saying White House cybersecurity officials have said basic hygiene would prevent 80 percent of the issues the executive order is trying to address. “That’s not to say we don’t focus on control system security and advanced persistent threats, but there are other activities that are looking at those as well."
The framework draft was “a little high level for my taste,” but the direction is positive, said Consortium for Cybersecurity Action Director Tony Sager. NIST and other agencies received “significant feedback” from the September workshop in Dallas, which indicated stakeholders liked the direction the framework was going, but they felt it was not yet specific enough, said former Deputy Assistant Secretary of Defense-Cyber Policy Bob Butler, a nonresident senior fellow at the Center for a New American Security. Butler is also chief security officer at data center provider Io and has been a consultant for the Defense Department, the Air Force Scientific Advisory Board and other cybersecurity organizations. NIST has been “very open and inclusive” in its consultations with stakeholders and industry’s feedback has been “cautiously positive,” said Sager, former chief operating officer for the National Security Agency’s Information Assurance Directorate. “They're trying to walk a line between improving the nation and trying not to get people up in arms over possible government regulation.” Stronger White House leadership might be needed to get “stronger, more specific guidelines for what enterprises ought to be doing to protect themselves -- more concrete than what we've seen so far,” he said.
Internet Security Alliance President Larry Clinton said he does not expect to “see a dramatic difference between the pre-Dallas framework and the preliminary framework.” Although ISA has supported NIST’s framework development process, the group “has a number of issues with the framework,” he said, saying the group thinks some portions of the current framework don’t meet the requirements the executive order set out. The current framework, for instance, doesn’t prioritize the importance of particular practices, meaning it doesn’t give corporate officials guidance on where to spend cybersecurity funds, Clinton said.
There’s little in the current framework “that speaks to senior executives, who will make decisions about adopting the framework” within individual companies, Clinton said. “It’s largely a bunch of technical standards that an IT geek is going to fall in love with, but a corporate executive is going to say ‘how much is this going to cost and how much more secure will I get?’ That hasn’t been articulated in the current draft.” But the preliminary framework is still “just a draft,” subject to revisions in the lead-up to the release of the finalized framework in February, Clinton said. “Even if it hasn’t included some of these critical elements, that doesn’t mean it won’t be included eventually."
Information Systems Security Association President Ira Winkler said he doesn’t believe there will be “too much significant divergence” from the pre-Dallas framework because NIST already had “good insight” into what industry stakeholders would want. The preliminary framework is likely to be different only if a “really smart contractor” at the Dallas workshop suggested a change that would benefit his company, Winkler said. He said he believes the executive order generally is “not going to be overly effective” because it lacks any teeth to mandate industry adoption and is akin to “giving your kid a lollipop so he brushes his teeth."
NIST has encouraged the preliminary framework’s early adoption to help inform revisions for the final framework due in February, but the framework thus far has been “soft enough that it’s not very helpful,” Sager said. “People are looking at it and seeing what they're already doing that fits into the framework, but I wouldn’t call that adoption. I think things are still high-level enough that I wouldn’t spend a lot of energy on it yet.” Companies that belong to ISA are fairly sophisticated companies that “may well be able to come out in February and say they're adopting the framework already -- but that’s because they already adopt the framework and a bag of chips,” Clinton said. “I don’t think that’s the real criteria by which we should be grading framework success. The real question is how many companies aren’t adopting the framework by February but will be doing it by August. If the framework is just about what people are already doing, then I'm not sure that it’s very useful.”