NIST Outlines Next Steps in Drafting Cybersecurity Framework

http://www.hstoday.us/single-article/nist-outlines-next-steps-in-drafting-cybersecurity-framework/61cc6c174551e67a2e9385aed2ae71c0.html

 

NIST Outlines Next Steps in Drafting Cybersecurity Framework

By: Mickey McCarter

04/04/2013 ( 8:00am)

 

The first of three in-depth workshop on the drafting of a cybersecurity framework will take place at Carnegie Mellon University in Pittsburgh, Pa., May 29-31, allowing time for the National Institute for Standards and Technology (NIST) to coalesce feedback from industry into a guiding document, the agency announced Thursday.

Responses to a request for information (RFI) published by NIST are due Monday, April 8. To date, NIST has received about 40 comments but it expects many more before the deadline, officials said at a one-day conference in Washington, DC.

NIST already is 50 days into drafting the Cybersecurity Framework required by the White House executive order on cybersecurity issued Feb. 12, leaving 190 days left in the process, said Adam Sedgewick, NIST senior information technology policy advisor, during a NIST panel.

Between now and the next workshop, NIST will go through the responses to its RFI on the shape of the Cybersecurity Framework, issued Feb. 24, and make initial determinations on the initial components of the voluntary framework based on feedback from industry.

The three-day workshop at Carnegie Mellon will focus on working roundtables on key topics of the Cybersecurity Framework, including basic cyberhygiene, risk management, tools and metrics, existing practices and gaps.

NIST experts will seek out cross-sector security standards and guidelines likely to be applicable to all companies, Sedgewick said. They will divide responses to the RFI into three major categories including risk management, guidelines and standards and practices that transcend specific industries, such as encryption.

Responses so far have contained some common themes, said Jon Boyens, senior advisor to the NIST Computer Security Division. Those include the caution of one size does not fit all when it comes to cybersecurity planning, a framework accounting for risk-based decisions, existing risk-based frameworks such as those from the International Standards Organization, specific standards across sectors, the potential disconnect various organizational levels in management and operations, and others.

Standards identification and harmonization will be a major focus of the examination of RFI responses, said Matt Scholl, deputy chief of the NIST Computer Security Division.

"We don't know what we are talking about yet," Scholl said, emphasizing that NIST must identify important elements of the Cybersecurity Framework and normalize amongst them. Doing so will yield a standard method of how to express the contents of the Cybersecurity Framework, an important first step.

As those first steps occur, NIST must work in parallel to plan to move from a convening body to actively representing business interests in executing the Cybersecurity Framework through technology transfers, Scholl said.

NIST must understand the appropriate fair governance structure for technology transfer to occur to businesses, he said.

At the same time, the Cybersecurity Framework must be technology neutral, Scholl said. It must measure performance and outcomes rather than prescribing specific solutions. In that way, the Cybersecurity Framework will focus on standards and guidelines, allowing adoption of new technology as it comes along.

"Rather than saying don't use this piece of technology, it should have something about the capabilities for security to have an outcome," Scholl said of the Cybersecurity Framework.

As such, NIST also will assess what success looks like to express how to implement the framework, Scholl said. An organization that successfully implements the Cybersecurity Framework should receive credit for it, and NIST will think of how to measure that success as it moves forward with other determinations.

Scholl agreed with industry attendees that the framework must take into account context specific to various industries, such as individual architectures and overall missions. The process of establishing the Cybersecurity Framework will consider carefully the specific value of critical infrastructure to the country as a whole and its internal assets by sector. NIST plans to carefully consider how the framework might affect business operations with the goal of improving cybersecurity and reducing risk.

In so doing, NIST must ensure it has adequate feedback from various organizations, Scholl said. NIST will avoid being dominated by the input of large organizations, for example, by reaching out to underrepresented smaller organizations.

NIST will do that in part by leveraging its relationship with the Department of Homeland Security (DHS) and thereby reach out through to specific sectors of critical infrastructure through their relationships with DHS and other sector-specific agencies, as defined by the National Infrastructure Protection Plan, Sedgewick said.