InduSoft attended the 3rd NIST Cybersecurity Framework Workshop held at UC San Diego on July 10-12. Since the time of the 2nd Workshop in Pittsburgh held at Carnegie Mellon University, NIST has, with what they call the “Big Brain,” taken all the suggestions and input provided by the attendees of the last workshop, plus anything that was sent to them at email@example.com and compiled it into a Framework Outline. The purpose of the 3rd Workshop was to fill in the gaps and start to flesh out the framework so it can be applied to the real world. So far, more than 2500 people and organizations have sent in suggestions and recommendations. We estimate that there were over 500 people in attendance in San Diego. It was suggested by NIST that the attendees represented the “Best of the Best” thinkers representing all aspects of Industry, Science, Government, and Education, and that we are to become the ambassadors of the final Cybersecurity Framework.
This set of workshops has been created by NIST in response to the task set forth in Executive Order 13636 (http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf) which outlines the need for a scalable security framework that can be applied to critical infrastructure (for our readers, this generally means all Industrial Control Systems, SCADA, and HMI systems and devices) that will help the owners and operators secure and/or provide awareness of security gaps that may exist within their own enterprises, no matter the size. The order allowed 240 days for the framework to be established, and the 90 days remaining mark just passed. While this order is intended for the United States, it is likely that other agencies around the globe will use this as a framework for their own country’s infrastructure and cybersecurity standards as well. The executive order does not provide NIST with any “teeth” to impose the framework. The adoption by the public is intended to be entirely voluntary; however various Federal Government agencies under the jurisdiction of this order will likely be required to implement the recommendations in the Framework.
The plenary sessions were held in the Mandeville Auditorium, which was large enough to hold the entire assemblage, and the Plenary sessions for Day 1 and 2 were available as a live public webcast, and also are available for viewing at http://www.nist.gov (approximately July 20th). Following the plenary sessions, the group broke up into smaller assigned workgroup sessions where we spent most of our time, so that the framework could be discussed by everyone, and input gotten on each of the Framework Sections from anyone who wanted to give it. These sessions all had a recorder and an expert on the framework of what has been discussed thus far so that clarifications and abstract points could be discussed within context of the Framework. The input provided by the participants will be compiled by the “Big Brain” into common themes and areas of need, along with filling the gaps as they were discovered. The 2nd day plenary discussed some of the common themes that emerged and the gaps that were discovered from the discussions and input from all of the workgroups in the previous day were compiled.
We had a representative from Capitol Hill in our workgroup, and on late Thursday he gave us his opinion of what the future of the Framework will entail. He suggested that, off the record, if the Framework is not voluntarily adopted, that it seems likely the various regulatory agencies overseeing the critical vertical industries will begin to mandate it into law, and that congress is ready to immediately act upon this, due of the nature of the potential cybersecurity threats to the United States. Additionally, an attorney in our group gave an opinion, also off the record, that it also seems likely that insurance agencies will use this cybersecurity framework as a compliance method to establish insurance risk of their various insured companies.
When the Cybersecurity Framework is finally completed, InduSoft intends to provide an overview of what it will mean and how it can be used by our customers to reduce or minimize cybersecurity risk within their organizations.
The 4th and final NIST Cybersecurity Framework Workshop will be in Dallas on the UT Campus on September 11-13. This Workshop will go over the draft of the Framework as compiled from the input from the San Diego sessions. This will be the last chance for the public will have input to the Framework. It is likely that a draft of the NIST Cybersecurity Framework will be posted a few of weeks before the Workshop in Dallas in September, so the public will have an opportunity to go over it and provide input and recommend changes, in addition to coming prepared for the 4th Workshop. Our readers are encouraged to go to http://www.nist.gov and follow this topic. We intend to be a part of this conversation and documentation until it is published, and if you have any comments on the Cybersecurity Framework Draft, please either send them directly to firstname.lastname@example.org or to email@example.com and we will pass them on to NIST for you.