Nine months ago, the National Institute of Standards and Technology (NIST) released version 1.0 of its Framework for Improving Critical Infrastructure Cybersecurity (Framework). NIST recently sought and received public feedback from industry relating to “awareness” of, “experiences” with, and a proposed “roadmap for the future” of the Framework. Since bTrade’s MFT Nation blog followed events leading up to the release of the Framework, we decided to provide some input on the post-release public feedback.
I attended a cybersecurity workshop this week and the Framework was discussed early and often. The workshop attendees included a good mix of individuals representing the major stakeholders in an enterprise’s cybersecurity process—IT, compliance, legal, product development, marketing and support/customer service. One of the attendees described the Framework process in what I thought was an interesting way. He said the Framework should be viewed as a “journey rather than a destination.” That pretty well sums up what I gleaned from the public comments about the Framework, as explained below.
The consensus from respondents is that a high level of “awareness” exists. No surprise there. When government asks industry whether it is “aware” of a particular government initiative, I would expect industry to say “yes, we are aware.”
The “destination vs. journey” analogy begins to take shape when reading the responses in the “experiences” section. The respondents describe how far along they are in completing the Framework’s risk management process. But many also highlight the amount of time and effort it takes to comply with yet another set of cybersecurity standards.
For example, one respondent said the cybersecurity standards within its industry are “more comprehensive that what is outlined in the Framework.” As a result, industry members have had to expend time and effort to “map” the Framework objectives to other internal and/or industry standards.
Another respondent expressed a similar thought: “Information-security requirements should not be cumulative … [so] [i]t is positive that Michael Daniel, the administration’s lead cyber official, has made harmonizing existing cyber regulations with the framework a priority.”
One respondent notes areas where it thought the Framework has either “hit the mark” or “needs additional work.” The “needs additional work” category describes the following problems that pose very serious challenges to the future success and adoption of the Framework:
- The integration of policies, and specifically control standards, with specific practices is labor intensive and might not be as valuable for mature programs.
- It is not clear why the framework doesn’t include several of the NIST 800-53 Controls.
- The Framework and its components are not directly measurable. This should be a more measurable framework.
- The lack of metrics surrounding adherence or “compliance” to the Framework is a gap that should be addressed.
- There is no one-size-fits-all answer for cybersecurity, and we’re skeptical that governments can provide comprehensive, prescriptive guidelines for all entities across industries.
- While the core structure of the Framework is solid, having been built using various existing standards and models, the “hype” associated with the Framework may have set expectations of something more groundbreaking than it may turn out to be. Furthermore, while the notion of implementation tiers provides for a more flexible approach in the application of the Framework, the lack of practical examples or reference models through sample profiles either at a broad or sector level make it difficult to understand the expectations of external entities such as regulators.
Roadmap for the Future
Like the “experiences” section, industry respondents had long lists of roadmap suggestions, such as this list from one respondent:
- Build in implementation guidance, outcome metrics and measurements.
- Provide illustrative examples that aid in tiering self-assessment.
- Add risk and threat analysis and prioritization.
- Integrate with existing governance, risk and compliance (GRC) solutions.
- Target small institution education and adoption.
- Give it time to “steep” in enterprise systems before embarking on the next version.
- Provide guidance that takes into account organizations at various levels of maturity along the cybersecurity spectrum. NIST should continue to encourage consistency through ongoing awareness, practical examples and collaborative opportunities.
- Include cross-references to selected transnational frameworks – such as Information Security Forum – as a foundation for harmonization across global firms.
- To the extent it becomes used as regulatory guidance, the Framework should provide training and assessment standards for the regulator/auditor to recognize compliance with the Framework. The Framework provides an important opportunity to drive harmonization across the regulatory environment, particularly as regulatory agencies expand their examination programs to assist smaller financial institutions manage risk assurances from third party service providers on whom they depend.
- Although every institution has differing systems and threat profiles, NIST should provide examples of security controls that would provide the most benefit for the least cost. Doing so would serve the needs of smaller institutions who are challenged to allocate resources and elevate their security posture.
- NIST could help improve usage by developing a way for institutions to benchmark within and across sectors.
What is NIST Saying about the Public Comments?
Adam Sedgewick, senior policy analyst for NIST, said “we’ve seen organizations approach the Framework in different ways. Some are using it to start conversations within their organizations or across their sectors, others to create detailed cyber risk management plans. We want to hear from all stakeholders to understand how they’ve used the framework, how it’s been helpful, and where challenges may lie.”
Based on the aforementioned responses, I think industry has provided NIST with good information for all these areas. As mentioned, the Framework should be viewed as a journey, not a destination. Serious challenges lie ahead on this journey, and time will tell if industry and government are up to the challenge, or whether the Framework will become too cumbersome and eventually fade into the background. Either way, MFT Nation will be here to report on developments.