NIST discussion draft of cybersecurity framework leaves many unanswered questions


A discussion draft of the preliminary cybersecurity framework still leaves a lot of the implementation details undecided, acknowledge National Institute of Standards and Technology officials.

NIST released the discussion draft (.pdf) Aug. 28 in anticipation of a fourth workshop on the framework set to be held in Dallas Sept. 11-13. A preliminary framework is due this October, with a finalized version due in February.  

President Obama called for its creation and voluntary adoption by operators of critical infrastructure in a February executive order, EO 13636. Multiple federal agencies have studied what incentives the federal government could extend to operators for its implementation.

The preliminary draft proposes five functions around which the framework core could be built: Identify, Protect, Detect, Respond, Recover. The first, Identify, refers to identification of assets, data and capabilities within an organization rather than, say, identification of threats.

Each of those functions would contain categories and subcategories; the subcategories would be mapped to possible security controls firms could adopt.

For example, within the Identify function, there would be an asset management category, with subcategories that include the inventorying and tracking of physical devices, the inventorying of software applications, and others.

The controls matched to subcategories are "informative" in nature, noted Matt Scholl, deputy division chief within the NIST computer security division.

In standards-speak, that means that the controls aren't normative--that is, they wouldn't be mandatory and could only inform companies' actions. Firms would decide which of the controls "is applicable to them, if any, and what, in any combination" they implement, he said.

The draft preliminary framework does call for companies to rate their implementation of framework on a four level scale ranging from Tier 0 ("partial") to Tier 3 ("adaptive.")

Asked how those tier ratings could be compared from one company to the next if the controls aren't standardized, Scholl said that's one matter among many to be discussed at Dallas.

NIST Senior Information Technology Policy Advisory Adam Sedgewick noted that the draft preliminary framework includes several areas that still need additional work, one of which is assessing conformity to the framework. But the idea of the framework is to offer flexibility to critical infrastructure operators, he stressed.

For more:
- download the draft preliminary framework (.pdf)
- go to the NIST cybersecurity framework webpage – links to additional documents available

Related Articles:
Commerce Dept. critical of liability protection as cybersecurity framework incentive
NIST cybersecurity framework bill voted out of Senate committee 
Public says critical infrastructure cybersecurity framework should be risk-based, says NIST