As we barrel into Valentine’s Day, seems industry is falling in love again with National Institute of Standards and Technology’s (NIST) cyber framework makeover. Business groups and the tech sector reacted favorably to the latest update to the NIST Framework for Improving Critical Infrastructure, but noted more work needs to be done in several key areas.
The popular framework, which is now being used as a set of voluntary security guidelines by 30 percent of U.S. businesses, was first issued in 2014 and has been undergoing improvements ever since. NIST issued the latest revision, Version 1.1 Draft 2, in December and the public comment period ended last week.
Most of the feedback from groups like the U.S. Chamber of Commerce, the Healthcare Information and Management Systems Society (HIMSS), and security vendors like McAfee centered around topics of self-assessment, measuring risk, supply chain, and the Framework’s four implementation tiers.
The Chamber of Commerce said it welcomed the change in wording in Draft 2 which “emphasizes that organizations can assess their cyber risks internally or by seeking a third-party assessment.” This addressed industry concerns that third parties, either public or private, could have access to data that a company generates when using the Framework.
The Chamber said, “Businesses should not have to look over their shoulders at regulators when judging the Framework’s utility to their cybersecurity.” With respect to measurement of security risk, the Chamber added that “industry actors should never be compelled formally or informally to disclose measurement information to third parties.”
The Information Technology Industry (ITI) weighed in as well, saying that “Draft 2 incorporates changes to deepen and broaden the effectiveness of the Framework in helping a broad array of stakeholders better manage cybersecurity risks.”
HIMSS said that they want NIST to provide more guidance on when an organization can or should move from one implementation tier to another. The group also pointed out that in today’s complex world of cybersecurity, an organization could be a blend of the four different stages of cybersecurity preparedness (partial, risk informed, repeatable, and adaptive), not just one tier across the entire enterprise.
Further, HIMSS pointed out that in healthcare the vast majority of devices, including Internet of Things (IoT) devices, are connected, which means it is vitally important to include supply chain risk management in the Framework. “The issue is so important that HIMSS recommends that the Framework could benefit from additional guidance on this subject.”
Security vendor McAfee added, “While there is always room for improvement, we believe the Framework Version 1.1 Draft 2 has included much of what is needed to improve an organization’s cyber risk management program. Additional areas included and refined in this version, such as coordinated vulnerability disclosure and a focus on incorporating how to deal with the evolving threat landscape, are vital for organizations to understand and incorporate into their cyber risk management processes.
McAfee agreed with HIMSS that the definition of implementation tiers still need work. As McAfee put it, “The implementation tiers would benefit from more information.”
The American Water Works Association praised NIST for clarifying the self-assessment issue, and adding supply chain controls to the Framework. The group echoed other voices on the tiering issue, saying, “We do find the tiering process to be the least valuable aspect of the Framework.”
Who said security frameworks aren’t interesting? Seems NIST not short of cyber love letters.