The NIST Cybersecurity Framework has been released. It is accompanied by a Roadmap which is intended to be a work plan for future efforts on issues (like authentication) that require further study and work. At first glance the Roadmap looks quite interesting and I’ll have more to say about it later. For now, however, a summary of the highlights of the Framework itself:
- The overall core of the Framework is essentially unchanged from earlier drafts. It identifies 5 key functions (Identify, Protect, Prevent, Respond and Recover) that comprise the critical aspects of a cybersecurity function.
- Likewise, the final Framework retains the draft’s idea of “Tiers” to assess compliance with the Framework’s standards — ranging from Tier 1 (Partially Compliant) to Tier 4 (Adaptive)
- And, as before, the Framework relies for its standard setting on pre-existing standards that have been developed by leading industry organizations like NIST and ISO. In short, there are no, new, forward looking standards here that are purpose-built or developed by NIST just for this Framework.
- The only notable change in the final Framework from the initial draft was a significant change to the privacy-protection portions of the Framework. Some in industry and academia criticized the first draft’s privacy section as too prescriptive and costly and thus as a deterrence to adoption of the Framework. As a result, NIST decided to drop that portion of the Framework and replace it (in section 3.5) with a more descriptive and hortatory set of processes and activities that should be “considered” when implementing the Framework.
My bottom line: The NIST Framework will probably drive the private sector toward the NIST security model through common law liability. If we layer on top of that other Federal incentives (like grants, or preferential access to threat and vulnerability information) the pressure to conform will be significant. And, yet, the security model is very “status quo” and probably will not significantly improve security at the top end of the threat spectrum.