Securing the Digital World

NIST Cybersecurity Framework (CSF) Spring 2017 Workshop Findings

May 31, 2017 | by Chris Hoover |

To shape their Cybersecurity Framework (CSF), NIST convenes a series of workshops open to any industry practitioners, vendors, or academics who wish to attend. I recently returned from the 2017 NIST CSF Workshop at their headquarters in Gaithersburg, MD. For those interested in the NIST CSF but were unable to attend, I will quickly run through the highlights. The exciting thing about these workshops that makes them different from any other framework or guidance is the feedback from the audience gets translated in very high fidelity into the next version of the CSF.

In addition to a recent round of public review, feedback from the 2017 workshop will be incorporated into CSF version 1.1 later this year. Keeping this in mind, the feedback captured below is a sneak-peek into what the finalized NIST CSF 1.1 might look like. The bullets are a mixture of comments and recommendations from the conference attendees for each topic. These comments are very high level, but you can access recordings of many of the sessions here. If I were a betting person, I would expect to see most of these items incorporated into the NIST CSF roadmap and for many to be in the final version of NIST CSF 1.1.

Attendees from the Communications Sector group said:
  • Streamline the CSF
  • NIST should give guidance on metrics
  • Provide guidance on how to pinpoint cause and effect
  • Need performance management metrics
  • Metrics need to be understandable to audience
  • NIST should provide more starters' guides
Attendees from the Corporate Governance group said:
  • Incorporate more existing supplemental resources
  • Need "sign here" accountability (incorporate an approval workflow)
  • Define measurements used in communicating with board
  • The group acknowledge boards want to understand CSF and cyber posture
  • CSF should speak in the language of the board, the language of business
  • Define types of questions boards should be asking?
    • Are we prepared for attack?
    • How are our peers handling it?
    • What risk will we accept?
  • Implement supplemental resources from Baldrige and NACD
Attendees from the Small and Medium Business group said:
  • Clarify how small business should implement CSF
  • How can it be more usable to small business?
  • Do a better job showing relevance in terms of marketing / language
  • Tie CSF to bottom line / what's in it for the small & medium business?
  • "Have a champion" even in small business
  • Adapt where small/medium businesses don't match up with structure of large business (example give: small company who made a small board of security stakeholders to replace function of CISO since they didn't have one)
  • Provide prioritization list of which categories/subcategories to implement and in which order, tailored to small business
NIST CSF has broad, voluntary adoption abroad. Attendees from the International group said:
  • Discuss translation to other languages
  • Map alignment to international frameworks and guidance
  • Address cultural impacts, cultural differences (Example: differences in willingness to talk about risk)
  • Open to ISO standard mapping to core but not to category level
  • Revisit, in international context, the issues of mandatory vs voluntary and public vs private sector
Attendees from the Internet of Things (IoT) group said:
  • Focus more on supply chain risk mgmt.
  • Consensus that CSF is applicable to IoT
  • CSF break IoT topics into smaller profiles
    • Sector-based
    • Use-case based
    • Threat-based
Attendees from the Financial group said:
  • Customization of financial profile
  • For industry + government, what are the combined objectives?
  • Single set of diagnostic statements, preferably yes/no statements
  • Group acknowledged value of Baldrige for financial sector
NIST's Closing Comments on "What We Heard" (items which didn't fit into any other category)
  • Measurement
    • Too vague, need more guidance
    • Need to update types of metrics
    • Revisit what makes good metrics
  • Update Next Draft (finalized version 1.1 and roadmap beyond)
    • Add a subcategory for authentication in PR.AC (Function: Privacy, Category: Access Control)
    • Tiers
      • Community affirmed they are useful
      • Need more introductory text for clarity
      • Confirmed they are not the same as maturity model
  • Add a new category/subcategory for Supply Chain Risk Mgmt.
  • Examples of informative references to add to next :

I hope find this information useful. As always, please email me with comments or questions.