MFT Nation has followed events related to the Executive Order on Improving Critical Infrastructure Cyber Security. Previously, we discussed public comments made during one of NIST’s public workshops and explored how managed file transfer principles might affect and/or shape the cyber security reform process. Thereafter, we examined NIST’s publication captioned “Initial Analysis of Cyber Security Framework RFI Responses” and found that a substantial majority of private sector business leaders favor a risk-based approach for the cyber security framework.
Last week, NIST released a 33-page document called Discussion Draft of the Preliminary Cybersecurity Framework (“Discussion Draft”). The release of the Discussion Draft was timed to allow for public review and comment before the fourth workshop (September 11-13) and the release of the initial draft of the Framework (in October 2013).
Our review of the Discussion Draft turned up something interesting in the first paragraph of the first page of the document. NIST makes a specific and pointed request to read another section on the first page that is captioned “Note to Reviewers.” The first sentence in the Note to Reviewers section states: “If the Cybersecurity Framework is to be effective in helping to reduce cybersecurity risk to the Nation’s Critical Infrastructure, it must be able to assist organizations in addressing a variety of challenges.” NIST then asks reviewers to “consider” a series of questions that highlight the enormous “challenges,” including whether the framework will disrupt existing cyber security practices; provide the appropriate level of specificity; and maintain flexibility while providing guidance to businesses of all sizes.
We were surprised by the content and placement of the “Note to Reviewers” section. The Draft Discussion is supposed to provide a framework of answers to the nagging questions about how best to reduce cyber security risk. One would think, therefore, that NIST would begin the document with an outline/summary of the long awaited answers. Instead, the Draft Discussion focuses on the “challenges” and the seemingly imponderable questions that must be answered in order to develop an effective framework that will be applicable to organizations of all sizes and to different industry sectors. In doing so, the Discussion Draft highlights the inherent problem with such an effort, as explained in more detail below.
There Is No One-Size-Fits-All Approach for Ensuring Cyber Security
There’s an old saying that goes “you can’t be all things to all people.” This phrase is often used to describe situations where it is impossible to create something that will be liked or used by everyone. NIST seemingly recognizes that the cyber security framework is such a situation. Indeed, NIST candidly admits in the Discussion Draft that the framework “is not a one-size-fits-all approach.”
So what approach has NIST taken? To answer this question, one can refer back to a statement made by NIST early in the cyber security framework process. In April 2013, Patrick Gallagher, NIST’s Director and Under Secretary of Commerce for Standards and Technology, said: “The framework will probably be a set of references to existing standards.” Mr. Gallagher basically predicted the approach taken in the Discussion Draft. Appendix A of the Discussion Draft is replete with existing standards, guidelines and practices that NIST says will provide “guidance” to organizations for “managing cybersecurity risks, in a manner similar to financial, safety, and organizational risk.”
At What Point Does “Guidance” Become Information Overload?
But the proverbial cup of cyber security “guidance” resources is overflowing with standards, guidelines and practices. According to a GAO report, there are already up to 400 different cybersecurity guidelines available for entities within the critical infrastructure. Also, many industry sectors are already subject to an array of cyber security laws and regulations. So what is the value-add from the proposed framework?
To assist entities with interpretation and adoption of the standards to be developed within the framework, NIST also released a 17-page document called “Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples.” The examples provide a range of technical solutions and mitigation recommendations for various threat scenarios. NIST also cites to supportive “Informative References,” which are existing standards that might be used in the illustrative examples, including NIST’s own Special Publication 800-53. Again, though, these are already existing standards that have been used in the risk management process in the past. So what’s the value-add from providing yet another compendium of already existing risk management standards?
What Does All This Mean For Your Organization?
The problem with the Discussion Draft is not with NIST’s efforts or approach, but rather with the seemingly impossible task of trying to develop a framework that can be all things to all people. It risks becoming excessively broad and may therefore fail in its goal of providing cyber security “guidance” to all organizations, large or small, in the many different industry segments.
In the end, I guess we need to accept the proposed framework for what it actually is, and the Discussion Draft does a good job of doing that in this paragraph:
The Framework complements, and does not replace, an organization’s existing business or cybersecurity risk management process and cybersecurity program. Rather, the organization can use its current processes and leverage the framework to identify opportunities to improve an organization’s cybersecurity risk management. Alternatively, an organization without an existing cybersecurity program can use the Framework as a reference when establishing one.
We will continue monitoring events associated with the Executive Order and keep you updated on developments. In the meantime, feel free to contact us at email@example.com if you have any questions, or if want our data security experts to analyze your infrastructure to determine how best to protect your valuable and confidential data.