In the current world of cybersecurity, the most important document out there is the “Framework for Improving Critical Infrastructure Cybersecurity” or the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF). In fact, while NIST has held the pen on drafting the Framework, it is much more than a NIST-produced document. Developed in response to the instruction in Section 7 of 2013’s Executive Order 13326, it was issued in final form February 12, 2014 after a comprehensive 1-year process to collect the best thinking on how to improve organizational cybersecurity in each of the 16 designated critical infrastructure sectors with input from the entire cybersecurity community. In a phrase, the CSF guides organizations to adopt a risk management approach to cybersecurity that focuses on people, process, and technology (rather than treating cybersecurity as an IT problem alone). But I cannot summarize the document better than NIST did in July:
“The Framework for Improving Critical Infrastructure Cybersecurity provides a voluntary, flexible approach to help an organization better understand, manage, and reduce its cybersecurity risks. Based on existing standards, guidelines, and practices, the Framework can aid in prioritizing investments and maximizing the impact of each dollar spent on cybersecurity. By providing a common language, it is especially helpful in communicating about cybersecurity inside and outside the organization. That includes improving cybersecurity communications, awareness, and understanding between and among information technology, planning, and operating units, as well as senior executives and between a buyer and supplier.”
The occasion for NIST to characterize the CSF was its readout on the CSF workshop held in May of this year. The subject of that, the eighth workshop held since the development of the CSF began, was to discuss how to revise the document. Without taking anything away from what the CSF has accomplished, everyone acknowledges it can be improved. Moreover, it is probably uncontroversial to suggest that it carries too much of a burden as the single most-cited resource for guiding organizational cyber risk reduction. There have been calls (see page 25) to apply it beyond its original focus on the 16 critical infrastructure sectors and the federal government adopted the CSF as the means to improve the government’s cybersecurity posture in an Executive Order on cybersecurity issued this year (see §1(c)).
The basic approach in the CSF is not controls-based but an approach to cybersecurity across the organization that focuses on how the efforts taken in pursuit of cybersecurity work in practice and from planning to response and recovery to a cyber incident. There is a fundamental focus on the people and process as well as the technology aspects of cybersecurity. The difference between CSF and an information security standard or control system is not always well-understood as evidenced by the desire of many to directly measure the implementation of the CSF in organizations. CSF is complementary with existing control systems but works best as a planning document that allows the organization to assess its current cybersecurity posture and create a goal for the future. (The CSF calls the results of these analyses current or “as is” and target or “to be” Profiles.)
One month shy of CSF’s three year anniversary in January of this year, NIST released the first draft of a revision, Version 1.1 (linked here with the mark-up from the existing version). Following a comment period and 108 comments submitted by parties ranging from companies to trade associations, other nation’s governments to other government agencies, NIST published a summary of the comments and drafted an agenda for the latest in its series of workshops to discuss the draft.
NIST has used the workshop process to collect input and develop the Framework from the time the President mandated the creation of the CSF through the early period of its implementation. This latest workshop provided an opportunity to focus on the draft Version 1.1 and try and determine how best to proceed. (Full disclosure: I acted as a paid moderator at the latest Workshop for the a few of the sessions.)
NIST has now released its summary of the Workshop’s sessions in a 20 page summary that covers each aspect of the agenda of the Workshop with a summary of the discussions that took place in each of those sessions. I commend the entire document to your attention.