On October 22, the National Institute of Standards and Technology (NIST) published a preliminary cybersecurity “Framework” that it was directed to develop in Executive Order 13636. The Executive Order requires that NIST develop and publish a cybersecurity Framework to protect national critical infrastructure through a “prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.”
The preliminary Framework is the product of a series of workshops held throughout the U.S. since February and industry comments. Within the next few days, NIST will publish a Federal Register notice formally seeking comments on the preliminary Framework before publishing a final Framework document in February 2014.
Previous alerts have analyzed the approaches taken by earlier drafts of the NIST Framework. This alert focuses on several changes in the preliminary Framework published for comments and what they reflect about the industry response to date.
Though the espoused goals and basic structure of the Framework remain unchanged, the preliminary Framework does reflect subtle changes in emphasis from earlier drafts. The Framework still states that it is intended to compliment rather than replace an organization’s existing cybersecurity risk management program. The means to achieve this goal also remain essentially unchanged:
Reliance on existing standards, guidance, and best practices
Providing a common language and mechanisms for organizations to:
Describe their current cybersecurity posture
Describe their target state for cybersecurity
Identify and prioritize opportunities for improvement within the context of risk management
Assess progress toward the target state
Foster communications among internal and external stakeholders
The basic structure of the Framework is consistent with earlier drafts:
A Framework “core” consisting of a compilation of government industry cybersecurity standards and best practices that address five critical cybersecurity functions: threat identification, threat protection, threat detection, response to an attack, and recovery.
A Framework “profile” that represents the outcomes the organization expects to achieve in terms of each of the Framework core categories.
Framework “implementation tiers,” which describe the extent to which the organization’s cybersecurity risk management practices exhibit capabilities that range from informal, reactive responses to threats to those that are agile, risk-informed, and anticipatory.
Challenges to improved cybersecurity. As in the earlier versions, the Framework identifies technical and process weaknesses that pose challenges to achievement of improved cybersecurity in critical infrastructure, including authentication, the lack of suitable mechanisms to automatically share detection of indications of a cybersecurity event as they are occurring, supply chain interdependencies, and lack of a qualified cybersecurity workforce.
While the preliminary Framework retains much of the structure and content of earlier drafts, there are important differences.
Privacy and civil liberties. One of the most significant changes is the elevated attention paid to privacy. The Executive Order requires federal agencies to undertake internal assessments of their compliance with Fair Information Practice Principles (FIPPs), but privacy was not expressly made part of the Framework development process. In earlier versions of the Framework, scant attention was paid to the need for critical infrastructure organizations to address privacy as part of cybersecurity. That nod to the importance of privacy has been replaced with a detailed methodology to protect privacy and civil liberties. This most recent version of the Framework adopts a series of methodologies applicable to each section of the Framework core that Framework users should employ to protect personal privacy and civil liberties as they take actions to achieve their desired Framework profile. These added standards should receive close attention by industry reviewers.
Increased consideration of business needs. It is apparent that industry comments have had an effect in changing the tone of the Framework. Earlier versions were concerned primarily with achieving enhanced cybersecurity without much consideration of the costs or disruptions that such steps might entail. The recent publication has increased emphasis on “factoring in other business needs including cost-effectiveness and innovation.” This emphasis is reflected in the Framework core as well. Where in earlier versions, specific steps were defined for each Framework category and subcategory (e.g., “Protect remote access to organization networks to include telework guidance, mobile devices access restrictions, and cloud computing policies/procedures”); the current version allows an organization more flexibility in claiming that it has achieved the subcategory (e.g., “Remote access is managed”). Whether this increased flexibility in describing an organization’s achievement of a Framework core goal enhances or diminishes the effectiveness of the Framework is likely to be the subject of many formal comments.
Decreased emphasis on continuous improvement. One of the foundations of the earlier drafts of the Framework was an emphasis on continuous improvement of both critical infrastructure organizations and their respective industry sectors. The overt inclusion of industry sectors has been de-emphasized in the current version, and the emphasis is targeted more on individual organizations. Whether the correct balance has been achieved between the responsibility of individual organizations and their infrastructure sector associations and alliances is a matter open for further comment.
The formal comment period will open within a few days. Comments will be accepted at firstname.lastname@example.org.