The newest draft of the government’s cybersecurity framework, released Wednesday, fleshes out the bare bones outline from July and adds some illustrative graphics, but still leaves much to be discussed and decided.
The National Institute of Standards and Technology — which the president tasked with creating the framework — published the draft in advance of the last of four workshops it has held on the matter. From Sept. 11-13, private industry, academia and government will convene in Dallas to hammer out some of those final details for the framework, due in October.
The updated draft tweaks the evaluation rubric slightly from the previous iteration. The framework is built around five functions: identify, protect, detect, respond, recover (swapping out “know” and “prevent” — the first two steps in the prior draft). The idea of the function setup is that a company can’t protect its system until it identifies and does risk assessments on its assets, data and capabilities. And it can’t detect intrusions until it has protective measures in place. And so on.
Each of those five functions is now broken down into categories and subcategories. Categories are various cybersecurity activities “closely tied to programmatic needs.” So under the function “identify,” for instance, one category is “asset management,” part of understanding your networks. Other categories for later functions include “access control” — under “protect” — and “detection processes” — under “detect.”
Subcategories are the actual activities required to technically achieve each category. So for “identify” a company would have to “inventory and track physical devices and systems within the organization.”
Finally, after all of these steps, the new draft includes “informative references,” which could crudely be referred to as “solutions.” In NIST parlance, they are “standards and practices common among the critical infrastructure sectors and illustrate a method to accomplish the activities within each subcategory.”
To show how this framework would map onto the real world, a related document walks through three examples of a company using the functions, categories, subcategories and informative responses for specific issues: cybersecurity instructions, malware and insider threats.
The new draft also lays out a four-tier scale for companies to rate themselves on implementation, from Tier 0 — “partial” — to Tier 3 — “adaptive.” The tiered adoption scale will be a focus of the upcoming discussion in Dallas. As the framework is just a set of guidelines, not specific standards to meet, it is unclear exactly how each company would rate itself on the tiered scale.
Adoption incentives will also feature prominently in the discussion. In early August, the White House released a set of eight incentives to galvanize the private sector into adopting NIST’s framework. From enhanced cybersecurity insurance, to federal grants and liability protections for compliant companies, the list ranged from the realistic — just needing an executive order — to the idealistic — needing action from a recalcitrant Congress. The Dallas forum will be the first large-scale venue for the private industry to comment on those incentives.