I just got back from NIST’s 6th Cybersecurity Framework Workshop in Tampa and wanted to share some of the really positive signs of progress. This was the sixth workshop, but the first in another sense. By this I mean that it’s been eight months since the release of the framework. This workshop really had the feel that it was the first post-release workshop where a significant number of organizations have had enough time to assimilate the document, message it throughout their organization, plan, implement, debate, etc. For all these reasons, unlike previous sessions, which were more about tinkering with the framework itself, this was a lot more about getting meaningful feedback from the early adopters and discussing the value people have realized by implementing it.
What are the strengths?
Several panel speakers made the same point that just discussing and planning the use of the CSF had multiple positive results. It forced them to bring stakeholders together that had not been communicating previously. It forced them to define what risk means to each of the stakeholders. Finally, it forced them to define their risk appetites.
While NIST continuously points out that there is no such thing as “CSF-compliant”, many people want to use it for vetting. This point came up several times in the context of vendor-to-vendor relations and supply-chain, that the CSF could be used for business partners or prospective clients to show each other where they are in their security programs. One of the panel speakers, who works for a collective that approves funding for large-scale utility investments, said that they want to see evidence of prudent decision making before they invest. They have embraced the CSF as an indicator for prudent decision-making in IT security, an area where they are not experts.
“Flexibility is the core strength of the framework”. This was the most common message of the workshop, repeated by many panel speakers and throughout the working sessions. Tim Casey, a risk executive from the chip-maker Intel, gave several examples of how they tailored the categories and subcategories provided by NIST to their own needs. This included adding an entirely new category: Threat Intelligence. They did all of this while in contact with NIST, who consistently offer the message of “tailor it to work for your organization”. Another panel speaker, from Chevron, specifically cited the DHS CSET tool, a precursor to NIST CSF that also targets critical infrastructure, was not customizable and pointed out that the CSF gave him the flexibility he needed to build the appropriate in-house solution.
How hard is it?
A lot of the questions from the audience to the session panel speakers were around the level of effort in implementing the framework. On this subject, Chris Boyers from AT&T said that “NIST had created a great product, one that industry can largely support”. A more enthusiastic endorsement came from Intel, who said that for their enormous, multi-billion dollar company, that defining their internal process and stakeholders, and completing their first, high-level assessment had taken less than 150 work hours. Most of the audience (including myself) was pretty obviously surprised by that number.
Where is it going?
Ari Schwarz, from the National Security Council, headed off questions about a CSF version 2. He essentially said there was no change in the near future, and to implement it as it stands, don’t wait for v2, etc. I think confusion around this subject comes from the NIST CSF Roadmap which can be found here. These were areas for planned improvement that NIST released almost at the same time that the CSF was released. They were just acknowledging that they knew there were areas that would grow, but that implementation of the CSF would still be valuable in the meantime.
There were also delegates from the UK government and European Union present. The short take away from them: First, the UK likes the CSF and is encouraging its use to its companies. Second, the CSF will be most successful when it’s embraced globally. This is really just a supply chain comment, since we live in a global economy.
Lastly, RSA was present in the tech expo area, which was restricted to only five vendors. We provided demos of our NIST CSF proof of concept. That’s all for now.
Email me with comments or questions or if you would like to a demo of our CSF POC.
Thanks for reading.