Need some fresh infosec reading this weekend? Try the newly minted Preliminary Cybersecurity Framework (PDF) from NIST, part of the federal effort to help critical infrastructure owners and operators reduce cybersecurity risks (primarily in industries like power generation, transportation and telecommunications). This is the latest and presumably penultimate iteration of the document we first discussed here and later on here.
At 44 pages, this new version is substantially longer that the 33 page "Discussion Draft of the Preliminary Cybersecurity Framework" that appeared in August. A new section highlighting the importance of the cybersecurity workforce has been added to the "Areas for Improvement for the Cybersecurity Framework" which is now Appendix C rather than Chapter 4. And it seems like quite a bit of work was done on the expanded Appendix B: Methodology to Protect Privacy and Civil Liberties for a Cybersecurity.
As with previous versions, we all get to say what we think. The official announcement says: the U.S. Department of Commerce's National Institute of Standards and Technology will soon open a 45-day public comment period on the Preliminary Framework. The announcement of the opening of the official comment period will run in the Federal Register (the Preliminary Framework can be found at http://www.nist.gov/itl/cyberframework.cfm).
NIST will hold one more workshop to discuss the Preliminary Framework—including implementation and further governance—on November 14 and 15, 2013, at North Carolina State University. Check http://www.nist.gov/itl/csd/5th-cybersecurity-framework-workshop-november-14-15-2013.cfm for more information and to register.
The plan is to release the official framework in February 2014, heroically meeting the schedule set forth in Executive Order 13636—Improving Critical Infrastructure Cybersecurity. despite the federal government being closed for 16 days this month (including the NIST website itself).
The idea of the framework is to "foster communications among internal and external stakeholders and help organizations hold each other accountable for strong cyber protections while allowing flexibility for specific approaches tailored to each business' market and regulatory environment."
From a technology perspective the framework—CSF as some folks are calling it—aims to be largely agnostic, focused on outcomes over specific technologies, ostensibly to encourage innovation but also, one assumes, to getting something agreed upon without seeming to favor any vendors.
Here's how NIST director Dr. Patrick Gallagher describes the goals of the CSF:
We want to turn today's best practices into common practices, and better equip organizations to understand that good cybersecurity risk management is good business...The framework will be a living document that allows for continuous improvement as technologies and threats evolve. Industry now has the opportunity to create a more secure world by taking ownership of the framework and including cyber risks in overall risk management strategies.
Having had just a short time to look at this latest version of the CSF I am impressed with the progress, particularly in the areas of workforce, privacy, and supply chain. But I'm a bit confused by the lack of references to a pair of topics that featured in discussions at past workshops: political resolve, and the role of cyber security insurance that my colleague Cameron Camp reported on from the Dallas workshop.
I'm sure that many privacy officers will appreciate "The Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program" as a way to steer organizations toward privacy best practices. The statement on cybersecurity workforce is worth reproducing in full.
A skilled cybersecurity workforce is necessary to meet the unique cybersecurity needs of critical infrastructure. While it is widely known that there is a shortage of general cybersecurity experts, there is also a shortage of qualified cybersecurity experts with an understanding of the specific challenges posed to critical infrastructure. As the critical infrastructure threat and technology landscape evolves, the cybersecurity workforce must continue to adapt to design, develop, implement, maintain and continuously improve the necessary practices within critical infrastructure environments.
Efforts such as the National Centers of Academic Excellence in Information Assurance Education (CAE/IAE) and the National Initiative for Cybersecurity Education (NICE) are currently creating the underpinnings of a cybersecurity workforce for the future, and establishing an operational, sustainable and continually improving cybersecurity education program to provide a pipeline of skilled workers for the private sector and government. While progress has been made through these and other programs, greater attention is needed to help organizations understand their current and future cybersecurity workforce needs, and to develop hiring, acquisition, and training resources to raise the level of technical competence of those who build, operate, and defend systems delivering critical infrastructure services.
I go along with all of that and I think NIST is right to append this to the CSF. What's missing is an explicit acknowledgement that without commitment and resolve at the highest levels in government and industry, this is not going to happen. Indeed, without political will behind it, the CSF effort is in danger of becoming a very helpful, but ultimately ineffectual, blueprint for what should be done, rather than a road map for what we as a society are committed to achieve: an efficient digital infrastructure that can thwart cyber attacks.