Joint process needed for security framework

A request for a joint and collaborative process was a consistent theme in the comments from NIST’s December 2015 Request for Information on the Cybersecurity Framework, which was created to improve cyber security risk management.

04/18/2016


Whenever the federally led Cybersecurity Framework gets updated, the consensus is there needs to be a collaborative update process, similar to the initial development process, and minimal disruption to current industry use.

In February 2014, NIST published the Cybersecurity Framework as called for by Executive Order 13636. The goal of the framework was to minimize risks to the nation's critical infrastructure, such as the transportation, banking, water and energy sectors. The executive order directed NIST to work with stakeholders across the country to develop the voluntary framework based on existing cyber security standards, guidelines and best practices.

NIST's December 2015 Request for Information on the Cybersecurity Framework called for comments on using the framework to improve cyber security risk management, sharing best practices, and long-term governance of the framework.

"We received 105 comments from a diverse group that included local, state national and international governments, a cross section of the critical-infrastructure community, and a number of other types of organizations," said Matthew Barrett, NIST's program manager for the Cybersecurity Framework. "The responses actually represent thousands of organizations because a large number of industry organizations submitted comments on behalf of all of their member companies."

NIST identified 10 recurring themes among the responses and provided an explanation of each, along with associated key terms and example responses.

While perspectives varied on whether it would soon be time for a framework update, respondents agreed on the need for a collaborative update process, similar to the initial development process, with minimal disruption to current industry use, as explained in the document. Some commenters said the focus should be on clarifying use of the framework, in particular for supply chain risk management and when using implementation tiers.

Respondents also discussed the relationship between the framework and regulatory requirements. For example, respondents discussed the possibility that it could enable multiple regulatory agencies to align diverse requirements in the regulatory process. But respondents also called for, "Caution against the potential for regulation to add burdens on their organizations," according to the analysis.

Other themes focused on sharing additional information about framework use and best practices. Respondents requested more guidance on framework implementation, particularly for small- and medium-sized businesses. Another theme covered the need for continued international alignment and harmonization of cyber security standards.

Commenters were comfortable with NIST's current leadership but wanted to consider transition in the future. The consensus was the future steward of the framework should be a respected, internationally recognized, and 
neutral third-party organization.

"These comments provide strong input for the framework's future and revealed that the number of organizations using the framework is growing," Barrett said.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineering, cvavra@cfemedia.com.

ONLINE extra

See additional stories from ISSSource about cyber security below.



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Big Data and IIoT value; Monitoring Big Data; Robotics safety standards and programming; Learning about PID
Motor specification guidelines; Understanding multivariable control; Improving a safety instrumented system; 2017 Engineers' Choice Award Winners
Selecting the best controller from several viewpoints; System integrator advice for the IIoT; TSN and real-time Ethernet; Questions to ask when selecting a VFD; Action items for an aging PLC/DCS
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
click me