Developing IT Security Best PracticesNIST Analyzes Cybersecurity Framework Comments
The National Institute of Standards and Technology has issued its initial analysis of comments on plans for a cybersecurity best practices framework that President Obama ordered to be developed [see Obama Issues Cybersecurity Executive Order].
The analysis comes in time for a NIST workshop May 29 to 31 at Carnegie Mellon University in Pittsburgh, where efforts to draft the framework will begin.
"That's really where we roll up our sleeves and take our preliminary analysis ... and start to drill down into the substance that will actually be used to create the tool framework," Donna Dodson, chief of NIST's computer security division and deputy chief cybersecurity adviser, says in an interview with Information Security Media Group before the initial analysis was issued [see transcript below].
A preliminary version of the framework, which the owners of the nation's critical IT infrastructure could voluntarily adopt, is scheduled to be published in the fall, with the final version of the framework slated to be issued next February.According to the Initial Analysis of Cybersecurity Framework Request for Information Responses, issued late last week, the key principles include:
- Providing flexibility, which should apply across multiple sectors and across the diverse group of stakeholders.
- Having an impact on global operations, which one stakeholder says should be approached on a consistent and cohesive basis across geographies as well demonstrate a commitment to the global standardization process.
- Adopting a risk management approach. "Balancing the need to deploy risk-appropriate security controls against deploying those mandated by regulatory or contractual obligations is one of the greatest challenges to improving cybersecurity practices," another stakeholder says.
- Leveraging existing approaches, standards and best practices to information security. Owners and operators of critical infrastructure should not have to manage overlapping or duplicative approaches, dual standards and conflicting requirements.
"Initially, we're looking at the cross cuts, those standards and best practices that will apply across the board," says Dodson, who's leading a federal government effort to take hundreds of suggestions from the private sector to create an IT security best practices framework that critical infrastructure operators could voluntarily adopt. "Then, we go from that generalized approach into the specifics needed for different critical sectors."
In the executive order issued in February, Obama directed NIST to work with industry to establish the best IT security practices to protect the nation's critical infrastructure.
In the interview, Dodson discusses the:
- Steps being taken to work with industry to develop the framework;
- Importance of the private-sector submissions on creating IT security best practices; and
- Goals of the workshops.
At NIST, Dodson oversees the institute's cybersecurity program to conduct research, development and outreach necessary to provide standards, guidelines, tools, metrics and practices to protect the information and communication infrastructure. Under her leadership, the division collaborates with industry, academia and other government agencies in research areas such as security management and assurance; cryptography and systems security; identity management; security automation; secure system and component configuration; test validation and measurement of security properties of products and systems; security awareness and outreach; and emerging security technologies.
Best Practices Framework
ERIC CHABROW: First off, what's President Obama asking NIST to do?
DONNA DODSON: Through the executive order, we have been asked to develop a framework to reduce cybersecurity risks to critical infrastructure. In doing that, we've been asked to work with the private sector to determine within that framework what standards, best practices, tools, measurements and metrics would be available today to support the framework and also understand what gaps may be there.
CHABROW: Will there be one grand framework? Will there be specific sector frameworks? Or is it a combination of the two?
DODSON: That's a good question. What will the framework look like when it's finished? We're working very closely with industry today to determine the different elements of the framework. Given that this is a NIST-coordinated activity with heavy involvement from industry, they will work with us on that final product, but we would envision the framework providing information for the different roles and responsibilities of our critical infrastructure, from the CEO down to the technician.
We also envision that the framework will be a living document. Initially, we're looking at the cross cuts, those standards and best practices that will apply across the board, and then how we go from that generalized approach into the specifics needed for different critical sectors. ... We have to publish a preliminary framework in 240 days from the issuance of the executive order.
CHABROW: That would put it in the fall sometime?
DODSON: It would be in the October timeframe. We have to publish the preliminary framework, and we have one year from February 12 for NIST to deliver the final framework. As we're looking at this, we want to provide something that has flexibility and that can be implemented by different sectors. We want it to be specific in other ways so that we're sure we're working to reducing cybersecurity risks within the critical infrastructure.
CHABROW: I visited a page on the NIST website that had about 200 submissions from all types of organizations and individuals suggesting elements of what should be in the framework. Are there common themes in these submissions?
DODSON: To begin the framework process, NIST provided a request for information and posted that publicly, and we received over 240 responses from different elements of their critical infrastructure, some from individuals, some from companies, others from consortia. In that RFI, we ask a number of questions. Right now we're going through the 240 sets of responses that we received to look for commonalities between the different responses. For example, we're looking to see if several international standards may be pointed to the responses that we received.
In addition to that, we're looking to understand if there are major gaps, areas where we really didn't get as much feedback. Based on that RFI and the analysis of the RFI, we will be hosting three workshops during the summer where we're really going to roll up our sleeves, talk about the inputs that we received and gain additional information that will help us to meet that date of publishing the preliminary framework in 240 days.
CHABROW: You already held one earlier in April?
DODSON: The first workshop we held in April at the Department of Commerce, and that really was to give people an idea of what we were looking for in the framework, to hear some general thoughts and considerations that NIST needed to take back as it was developing its approach and timeline. We have a second workshop that will be held in Pittsburgh the end of May. It's a three-day workshop at Carnegie Mellon University. At that workshop, that's really where we roll up our sleeves and take our preliminary analysis from the request for information that we put out and start to drill down into the substance that will actually be used to create the tool framework.
CHABROW: Who will be at that workshop? Who can attend?
DODSON: The workshop, like all of our workshops on the executive order, is open to anybody. ... IT providers, critical infrastructure operators and interested parties are more than welcome to participate. The effort that NIST has taken on with the executive order is really to work with industry in the development of the framework. Those inputs are essential for us as we work to develop and meet our one-year deadline.
Reception to Framework
CHABROW: There seems to be wide interest at least - I don't know if you'd call it support - for the framework from a variety of constituencies. I noticed among the organizations that submitted were organizations like IBM, Cisco, Microsoft, security companies like Mandiant, Symantec, Heartland Payment Systems, the City of Philadelphia, even Huawei Technologies, the Chinese company that's been accused of having its IT ware altered throughout Chinese government to spy on American businesses, as well as some individuals. How would you characterize the reception?
DODSON: We're very pleased with the initial response with the RFI that we put out, as well as the broad support at our initial workshop that we held on the framework. We hope that the energy will continue. NIST will continue to interact, listen and work with the private sector as we move forward in the development process. All of the responses to the RFI are publicly available. They're out on our website. We expect in the next couple of weeks to put out our preliminary analysis of the RFI and give people some information that they can use as they prepare to come and help us with the May workshop.
CHABROW: Who has the final say on the framework?
DODSON: The final framework will be produced by NIST. That will be available in February 2014. The actual say for the framework and what it consists of is really reaching that consensus with industry, like we do often as we develop our standards and best practices that NIST traditionally puts out. We're using that collaborative model - for example, the work we've done with the smart grid, where we brought all the stakeholders together to reach that consensus - to identify where the gaps are, to start rolling up our sleeves and working on those gaps.
Challenges in Developing Final Product
CHABROW: What challenges do you see in developing the final product of the framework?
DODSON: We do recognize the challenge of a very short deadline to produce the framework. But as I mentioned, we see this as a living document. As we identify an appropriate set of standards and best practices today, we understand that as the cybersecurity challenges of the nation evolve, the framework will need to evolve.