Share this article on:
In 2014, the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. The Framework details a set of standards, procedures, and processes that can be adopted by organizations to help them align their policy, business, and technological approaches to deal with cybersecurity risks.
In December 2015, NIST issued a request for information (RFI) seeking feedback on use of the Cybersecurity Framework. NIST also asked for comments regarding long-term governance of the Framework and suggestions on how best practices for use should be shared. 105 responses were received.
Further feedback was sought from stakeholders at an April 6-7 workshop in Gaithersburg, MD, specifically on best practice sharing, case studies, further development of the Framework, and comment on the NIST Roadmap for Improving Critical Infrastructure Cybersecurity.
The feedback received from the RFI and the workshop indicated the Framework had proved to be a useful organization and system level tool, and that it has proved to be valuable for coordinating cybersecurity. Organizations from a wide range of industry sectors have used the Framework as an assessment methodology, and have found it useful for communicating cybersecurity needs with partners, service providers and vendors.
However, workshop attendees felt some refinement was possible to improve usability. Some workshop participants recommended the issuing of additional guidance to help operationalize the Framework, and thought case studies and profiles would be a good starting point. It was also suggested that an ongoing ecosystem should be maintained to promote use of the Framework and to facilitate the sharing of cybersecurity practices.
Virtually all workshop attendees and RFI commenters felt that NIST should remain involved with the Framework and should, at least for the foreseeable future, be responsible for the Framework’s evolution and maintenance.
It was suggested that NIST reserve the term “best practices” for organizations that have gone above and beyond others, and had developed practices that warranted use of the term’ best’. NIST should therefore use the term “current practices” for sharing of cybersecurity practices. Best practices can be used for model organizations whose practices were worthy of the term. Workshop participants also suggested that it was perhaps too early to be extensively sharing practices, due to an absence of widely accepted assessment methodologies.
Many participants felt that NIST should publish assessment criteria to help organizations evaluate their cybersecurity practices, and it was felt that a self-assessment tool would be particularly useful in this regard.
Concern was raised that sharing cybersecurity practices with other organizations may either place an organization at a competitive disadvantage, or could potentially provide cybercriminals with an intelligence gathering opportunity that could make the organization more liable to suffer a cyberattack. NIST reported that no consensus was reached on these points.
A majority of stakeholders suggested that an update to the NIST Cybersecurity Framework would be necessary in the short term and that additional guidance should be issued on how to implement outcomes and activities laid out in the Framework.
NIST has announced that a minor update will occur, and that a draft will be issued and made available for comment in early 2017. The update will include more informative references, will clarify implementation tiers, and will place cyber threat intelligence in the core. Guidance will also be issued for supply chain risk management.
NIST also confirmed that it has started to develop self-assessment criteria to support organizational understanding of cybersecurity risk management business practices.