NIST Cybersecurity Framework Issued
The NIST Cybersecurity Framework has been released. It is accompanied by a Roadmap which is intended to be a work plan for future efforts on issues (like authentication) that require further study and work. At first glance the Roadmap looks quite interesting and I'll have more to say about it later. For now, however, a summary of the highlights of the Framework itself:
- The overall core of the Fra
Published by The Lawfare Institute
in Cooperation With
The NIST Cybersecurity Framework has been released. It is accompanied by a Roadmap which is intended to be a work plan for future efforts on issues (like authentication) that require further study and work. At first glance the Roadmap looks quite interesting and I'll have more to say about it later. For now, however, a summary of the highlights of the Framework itself:
- The overall core of the Framework is essentially unchanged from earlier drafts. It identifies 5 key functions (Identify, Protect, Prevent, Respond and Recover) that comprise the critical aspects of a cybersecurity function.
- Likewise, the final Framework retains the draft's idea of "Tiers" to assess compliance with the Framework's standards -- ranging from Tier 1 (Partially Compliant) to Tier 4 (Adaptive)
- And, as before, the Framework relies for its standard setting on pre-existing standards that have been developed by leading industry organizations like NIST and ISO. In short, there are no, new, forward looking standards here that are purpose-built or developed by NIST just for this Framework.
- The only notable change in the final Framework from the initial draft was a significant change to the privacy-protection portions of the Framework. Some in industry and academia criticized the first draft's privacy section as too prescriptive and costly and thus as a deterrence to adoption of the Framework. As a result, NIST decided to drop that portion of the Framework and replace it (in section 3.5) with a more descriptive and hortatory set of processes and activities that should be "considered" when implementing the Framework.
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.