Communications Litigation Today was a Warren News publication.
Mixed Reaction From Experts

NIST Releases Preliminary Cybersecurity Framework

The National Institute of Standards and Technology released the preliminary version of the Cybersecurity Framework Tuesday, meeting skepticism from some cybersecurity experts. Early reaction from industry groups praised NIST’s inclusion of industry in the framework’s development, but the groups said they needed to review the framework more thoroughly. NIST had said it wanted to release the new version for public comment as soon as possible since it missed its original Oct. 10 deadline because of the government shutdown. NIST said it believes it will be able to meet the February deadline to release a final version of the framework.

The preliminary framework’s structure is essentially the same as what NIST included in a discussion draft released in August (CD Aug 30 p6). It contains a “Framework Core” that advises critical infrastructure owners and operators to identify systems in need of protection and implement safeguards. A set of “Framework Implementation Tiers” will help an organization identify the degree to which it manages cybersecurity risk, while a “Framework Profile” helps organizations create a “roadmap” to reduce cyber risk.

The framework core heavily references five security standards: The Council on CyberSecurity’s Top 20 Critical Security Controls, ISACA’s (formerly Information Systems Audit and Control Association) Control Objectives for Information and Related Technology, the International Society of Automation’s ANSI/ISA-62443-2-1 security standard for industrial automation and control systems, the International Organization for Standardization/International Electrotechnical Commission ISO/IEC 27001 information security management system standard and NIST’s Special Publication 800-53, Revision 4 federal information systems security and privacy standard (http://1.usa.gov/1bcaMqK).

NIST’s release of the preliminary framework began a 45-day comment period that will help guide revisions in advance of the final framework. The agency wants input on a variety of issues, including whether companies can implement the framework in a cost-effective way, whether the framework helps industry executives understand cybersecurity risks and whether it conflicts with current best practices. NIST will also revise the framework based on input from a framework development workshop Nov. 14-15 at North Carolina State University’s Centennial campus in Raleigh.

The framework’s content was not a secret simply because NIST had posted multiple drafts online during the process, said NIST Director Patrick Gallagher during a conference call with reporters. NIST’s main focus following the most recent framework development workshop in Dallas in mid-September was to clarify the framework’s language, he said. The newest framework version includes an expanded section on privacy and civil liberties protections and provides additional guidance on how organizations can use the framework, Gallagher said.

The expanded privacy and civil liberties section is based on the Fair Information Practice Principles (FIPPs), as referenced in President Barack Obama’s cybersecurity executive order (CD Feb 14 p1). NIST organized the section to directly correspond with the Framework Core and heavily references its Special Publication 800-53, Revision 4 standard’s “Appendix J” section and the ISO/IEC 27001 standard. NIST said in the preliminary framework that although the FIPPs “provide a process for how [personally identifiable information] should be treated, they do not provide specific implementation methods or best practices.” NIST identified privacy and civil liberties protections as one of several areas that will require additional work before and after the final framework’s release.

The framework is meant to be a “compendium” of existing standards and practices, with the goal of turning those best practices into “common and expected practices,” Gallagher told reporters. The framework is not meant to create an “implied liability” for companies that do not adopt its best practices, he said, though he said it would be in companies’ self-interest to become proactive adopters of the framework. Though a first glance at the preliminary framework would indicate it remained as high level as previous versions, there’s “quite a bit of meat there in terms of best practices,” Gallagher said.

Internet Security Alliance President Larry Clinton said he believed NIST made progress in some areas of the preliminary framework, saying interconnection issues in cybersecurity are now “much better spelled out.” Interconnection issues “are some of the most vexing in cyber,” he told us. “You can’t just secure your own internal systems, you have to keep in mind the broadly connected ecosystem.” NIST also made progress on indicating the need for enterprise-wide appreciation of cybersecurity rather than just within the IT sector, as well as better linking of physical and cybersecurity risks, Clinton said. However, the preliminary framework shows NIST has “walked away” from the executive order’s requirement that the framework address prioritization and cost-effectiveness, Clinton said. The preliminary framework cannot be considered a “truly risk-based framework without better addressing how organizations should prioritize spending on cybersecurity,” he said. “Absent that, we only have an organization of technical controls that doesn’t give you guidance on cost. It assumes that you know all of this, and I think that’s a faulty assumption -- particularly with the target audience for this."

Other experts reacted more negatively to the preliminary framework. “It’s not useful,” said James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy Program, in an email. “Best to put it behind us.” Information Systems Security Association President Ira Winkler told us the preliminary framework is “incredibly underwhelming.” The framework describes a “process perspective best practice in how to do things the NIST way,” said Winkler, who is also president of the Internet Security Advisors Group. “It isn’t a bad way, but it really doesn’t actually provide any guidance -- except to create a plan -- without any regards of implementation in a useful way. It has a sample high level plan, but as the expression goes, ’the devil is in the details.’ Having a high level description of a plan, as the framework proposes, does little to actually ensure the resulting program is actually secure. It matters how well you implement the plan, which is exponentially more difficult."

Reaction from telecom industry groups was more positive. USTelecom President Walter McCormick said in a statement that “NIST has worked hard to reach out to industry and stakeholders and listen carefully to the input of workshop participants, helping to make this a successful collaboration on developing strategies for enhancing our nation’s overall cybersecurity posture.” NCTA said it anticipates a “thorough evaluation of the Preliminary Cybersecurity Framework and will continue to encourage a streamlined approach that relies on existing standards and offers practical guidance for companies to improve their readiness to combat cyber threats.” TIA President Grant Seiffert said in a statement that his organization will also be “closely reviewing this draft and providing input from the ICT [information and communications technology] manufacturer, vendor, and supplier perspective.”