Delivering an accessible roadmap to guide the array of the nation's most vital organizations through cyber crisis does sound like a pretty tall order. That may be the reason why the very tool that sets out to do that is meeting with such a mixed bag of praise and criticism.
The so-called “Framework for Improving Critical Infrastructure Cybersecurity,” released in draft late last year and in finalized form in February by the National Institute of Standards and Technology (NIST), sets out to create a voluntary and over-arching structure based on existing standards, guidelines and practices to help key organizations reduce their internet-based risk.
John Pirc, chief technology officer with NSS Labs, attended one of the NIST-hosted cyber security framework workshops, at the University of Texas at Dallas in the fall of last year, and also personally met with the NIST team at their headquarters this spring. For his part, Pirc says he is extremely impressed with NIST's ability to respond quickly to the executive order. “I think the first draft is good and addresses the issues we're facing today,” he says. “As with any security framework, it will receive a lot of feedback – both positive and negative. After meeting with the NIST team, I'm sure that feedback will likely be adopted into the next iteration.”
OUR EXPERTS: Infrastructure defense
Brian Contos, VP and CIO for advanced threat, Blue Coat
Jason Fredrickson, senior director of enterprise application development, Guidance Software
Ed Hammersla, managing director, Raytheon Cyber Products
Torsten George, VP of worldwide marketing and products, Agiliance
Charles Hessifer, sales engineer for federal sales, Tenable
Kent Landfield, director of standards and technology policy, Intel Security
John Pirc, CTO, NSS Labs
Scott Tousley, deputy director for the cyber security division in the Science & Technology Directorate, Department of Homeland Security
Indeed, many industry insiders – some of whom, like Pirc, attended report-developing workshops – say that the current version of the guidance does deliver on a number of fronts. “The framework is a really good start to defining how companies should analyze their cyber security risk, where to put their efforts… and things like that,” says Scott Tousley, deputy director for the cyber security division in the Science & Technology Directorate of the Department of Homeland Security. Tousley, who also attended a number of the workshops that led to the creation of the document, believes the authors were successful in engaging the industry across a number of geographies and business sectors to get a “full sampling” that led to the framework's guidance.
The standard itself is composed of three sections: the “core,” which represents a set of activities to anticipate and defend against cyber attacks; the “implementation tiers,” which provide a set of measurements to assess to what degree an organization has implemented the core activities and benchmark how prepared they are to protect systems against an attack; and the “profile,” which can be used to identify opportunities for improving an organization's cyber security posture by comparing a current profile with a target profile.
Another participant in the countrywide workshops, Ed Hammersla, managing director of Raytheon Cyber Products, a wholly-owned subsidiary of Raytheon Co., says the framework has succeeded in “laying down something that's useful to a wide number of entities from critical infrastructure to state government agencies.” He views the endeavor as “mission accomplished” on two fronts: the framework created a public-private partnership, that includes significant input from industry stakeholders; and it can serve as a basic tool for organizations to determine where they are in managing their cyber risk. “There really wasn't anything like this before,” Hammersla says.
Like Hammersla, Kent Landfield, director of standards and technology policy for Intel Security, believes that the framework also serves to create an over-arching taxonomy for cyber risk and cyber security that organizations can use to better communicate and compare where they stand. Landfield, who was involved in the development of the framework and led the NIST delegation on behalf of Intel Security, adds that the issuance of the framework will likely raise awareness among top executives and boards of directors about cyber security risk, as well as help them “make intelligent decisions about where to invest and how to address risk.” He insists that, rather than a framework, the document is really more of a tool for improving an organization's security program.
“We can't say where it's a perfect magic bullet, but it's a step in the right direction to get to the right people,” says Landfield. “That's a critical advancement.”
The good news is that the NIST Cybersecurity Framework avoids placing additional regulatory requirements on businesses and provides a risk-based approach to cyber security, says Torsten George, VP of worldwide marketing and products for Agiliance.