NIST to engage with stakeholders on promoting framework use, respond to adoption challenges
By Sara Friedman / August 17, 2022
The National Institute of Standards and Technology wants to consider the needs of international partners in its update to the cybersecurity framework and recognizes that agency regulations will be part of the discussion, NIST officials said today at the first CSF 2.0 workshop.
During the opening panel at the workshop, the officials who are playing a part in the evolution of the framework reflected on NIST’s cyber work over the past four years. Adam Sedgewick led the effort to create the original CSF in 2013-2014 and emphasized how NIST has always tried to remain “technology-neutral.”
Shifts in technology over the past four years have also led to “operational shifts,” Sedgewick said, outlining how NIST wants to address those changes in CSF 2.0. NIST has developed sector-specific resources and also addressed use cases, such as ransomware, through profiles.
Sedgewick is currently a senior technology policy advisor at NIST.
The panel was moderated by James Lewis of the Center for Strategic and International Studies and featured Sedgewick as well as NIST’s Cherilyn Pascoe, Jon Boyens and Amy Mahn. Lewis asked them to weigh in on how the CSF fits into the regulatory environment, taking into account how NIST is focused on generating standards in collaboration with industry and doesn’t set federal policies.
NIST is focused on making the CSF “a resource,” Sedgewick said, noting that “frameworks are different from regulation.” Sedgewick said the regulatory framework is “dynamic” and organizations that work with NIST aren’t necessarily “dealing with the same regulator.”
A review of “legal requirements” is the first step for CSF users, Sedgewick said; then they “scale” as implementation evolves to build cybersecurity frameworks for their needs and manage “other aspects of cybersecurity or privacy and risk.”
Boyens, co-author of NIST’s flagship supply chain risk management publication, said there will be greater focus on “measurement” in CSF 2.0. In the 1.1 update, NIST put metrics and measurement into the framework for the first time, Boyens said, adding that the community focused on the topic has grown over the past few years.
“That’s why we are seeing it again here and why we are discussing it,” Boyens said, reflecting on one of the key themes from the responses to NIST’s request for information from February.
Pascoe, CSF program manager, said NIST wants to more organizations develop profiles because the agency doesn’t have the expertise to create ones for all sectors. NIST has created linkages in other publications, including guidance on Internet of Things and Operational Technology, and implementation projects at the National Cybersecurity Center of Excellence.
On international engagement, Mahn highlighted framework translations on the CSF website and engagements with Italy, Israel and Japan. NIST also wants to work with the International Organization for Standards (ISO) to create more linkages, Mahn said, and to ensure the framework is not U.S.-centric.
Mahn leads NIST’s CSF international engagement efforts. She said the agency is open to putting out more implementation guidance for stakeholders to help with adoption.
The NIST workshop kicked off with remarks from National Cyber Director Chris Inglis and NIST Director Laurie Locascio. There are six panels on key themes that emerged from NIST’s request for information on the CSF 2.0, issued in February. - - Sara Friedman (email@example.com)