Industry Stakeholders Urge Revisions to Cybersecurity Framework
The National Institute of Standards and Technology-facilitated Cybersecurity Framework, as currently constructed, “will not stop attacks by advanced threat actors using sophisticated tactics such as exploiting previously unknown vulnerabilities (zero-day attacks) or using never seen before malware,” said Rep. Mike Honda, D-Calif., in comments filed with NIST last week. NIST had solicited public input on the preliminary version of the framework, which the agency released in late October (WID Oct 23 p2). That feedback will aid the agency and industry partners as they ready a final version of the framework for release in February. Comments were due Friday.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Emerging cybersecurity best practices use “behavioral and visualization techniques” to identify and block threats, Honda said. Those techniques include the SC-44 (System and Communications Family) best practice on the use of detonation chambers to find malicious code, which is contained in Revision 4 of NIST’s own Special Publication 800-53 federal information systems security and privacy standard. While many Fortune 500 companies have adopted SC-44, the NIST framework does not use it as an informative reference within the Framework Core, Honda said. “This is a serious oversight that will leave critical infrastructure vulnerable to advanced cyber threats even after they spend resources adopting and implementing the Framework” (http://1.usa.gov/1fc7hTQ).
The ITU’s Study Group 17 said NIST should reference the ITU’s own cybersecurity standards. The recommended ITU standards were: X.1520 on common vulnerabilities and exposures, X.1521 on a common vulnerability scoring system, X.1526 on open vulnerability and assessment language, X.1528 on common platform enumeration, and X.1544 on common attack pattern enumeration and classification (http://1.usa.gov/19HxqpB).
The Intelligence and National Security Alliance believes the framework effectively addresses risk management, perimeter defense, network defense, response and recovery, but suggested NIST include “Cyber Intelligence” and “Insider Threat” as separate categories under the Framework Core’s “Identify” function. “Establishing and employing a Cyber Intelligence capability promotes an intelligence-driven enterprise that transforms the cybersecurity posture from reactive to proactive,” INSA said (http://1.usa.gov/1dbHDwB).
The Computing Technology Industry Association wants the framework to be “navigable to organizations of all sizes” given that there are more than 13,800 small and medium-sized U.S. businesses that could be considered part of the nation’s critical infrastructure. “While the framework presumes that a company will have certain resources, SMBs often lack an IT staff and a security infrastructure,” CompTIA said. “Incentives for adoption for SMBs are an option that should be explored.” CompTIA also suggested NIST provide SMBs with an interactive tool they can use to document their experiences implementing the framework. CompTIA said it also wants a more concrete link between the NIST framework and the National Initiative for Cybersecurity Education’s framework, which establishes standards for professionalizing the cybersecurity workforce (http://1.usa.gov/1hRFhcd).
The Information Technology Industry Council wants the framework to more clearly state that framework adoption is voluntary, enumerate the benefits of adoption and include a workable definition of what framework adoption actually means, ITI said. It suggested that NIST reorganize portions of the Framework Core and adopt an alternative privacy section submitted by the Hogan Lovells law firm (http://1.usa.gov/1cGLuDO). The Hogan Lovells-submitted privacy section would fulfill a “consensus that the privacy methodology included in the Preliminary Cybersecurity Framework should be narrowed and focused so that, like the rest of the Framework, it reflects consensus private sector practices,” said firm partner Harriet Pearson (http://1.usa.gov/1gw4eJT).
The Centre for Information Policy Leadership at the Hunton & Williams law firm believes the framework’s privacy section is “neither theoretically sound nor likely to be workable in practice,” said Fred Cate, the center’s senior policy adviser. The section is primarily problematic because NIST chose to make it a separate section rather than interweave the privacy practices into all aspects of the Framework Core, Cate said. The section is overly broad and appears to ignore privacy and data protection programs industry has developed in consultation with the U.S. government, he said. Cate suggested NIST eliminate privacy as a separate section and include the section’s points in the Framework Core. NIST should “make explicit that the privacy protections apply only in the context of information assurance activities,” Cate said. He also suggested NIST eliminate all references to the Fair Information Policy Principles, as the FIPPs are “a poor basis for addressing most cybersecurity privacy issues.” NIST should instead focus “on more relevant principles of ‘accountability’ and ’stewardship’ of personal data,” Cate said. “These 21st-century principles increasingly serve as the foundation of successful industry privacy and data protection programs” (http://1.usa.gov/1eb89vl).
The International Association of Privacy Professionals said it had no opinion on whether privacy should be part of the Framework Core or as a separate section, but said personnel who apply those privacy guidelines as part of framework implementation should be “duly qualified, adequately trained and certified privacy professionals.” The privacy section at present focuses on training all personnel on privacy, but “sound data management practices are not common knowledge,” IAPP said. It said “they require laborious training, continuous education and a verifiable method of certifying skills” through the Certified Information Privacy Professional and Certified Information Privacy Manager programs within IAPP (http://1.usa.gov/IUgC7p).