The National Institute of Standards and Technology (NIST) held its sixth workshop on the Cybersecurity Framework on October 29-30, this time in Tampa, Florida at the University of South Florida. Venable attorneys attended the workshop, as they have for all of NIST's previous workshops on the Framework. NIST and White House representatives made it clear that no major revisions to the Framework should be expected in the near future. However, the workshop provided attendees with a better understanding of the extent to which the Framework is being used, the ways that various entities are using it, and the issues, concerns, and gaps that have been identified with regard to the Framework since its rollout in February of this year.
The first day of the workshop featured three panel discussions, focusing on the use of the Framework, sector-specific implementations (specifically within the communications, energy, and financial services sectors), and the tools and other products that have been developed around the Framework, respectively. The second part of the first day featured breakout sessions in which attendees discussed the subjects addressed earlier by the panelists.
The second day began with breakout sessions on topics that required additional focus and attention in order to identify voluntary consensus standards for inclusion in the Framework. These topics included authentication, automated indicator sharing, supply chain and conformity assessment, cybersecurity workforce, and privacy methodology. There was also a session on standards supporting the framework.
Following these sessions, the workshop closed with panel discussions on the use of the Framework by various regulators and policy makers. NIST also provided updates on several separate but related initiatives, including the Cyber-Physical Systems Public Working Group, the Privacy Engineering Objectives and Risk Model, the National Cybersecurity Center of Excellence, and the National Strategy for Trusted Identities in Cyberspace.
Results of Initial Inquiries
Following two days of panel and group discussions, NIST's representatives stated their initial conclusions. Specifically, they found that:
- awareness of the Framework was strong, but that additional outreach was still needed;
- the Framework has been successful in promoting increased communication of cyber risk across the enterprise (and especially with senior executives);
- users of the Framework seek more tools for using the Framework (such as use cases, "getting started" guidance, templates, and governance, risk management, and compliance (GRC) tools); and
- the Framework "Core" is getting more use than the tiers, which were intended to provide a measure of process maturity/sophistication.
Regarding the last point, it seemed likely, based on the panel discussions, that mapping existing cybersecurity practices against the Core, whether for purposes of resource allocation, risk reporting, or otherwise, was the most common use of the Framework.
Based on Venable's participation in the workshop, the following takeaways were also evident based on the discussions witnessed:
- Some major corporations are using the Framework.
Numerous major organizations in the IT, financial services, energy, and communications sectors, among others, were vocal about their use of the Framework. Although a "gap" identified at the workshop was a lack of awareness and resources amongst small and medium sized entities, the Framework was created in response to an Executive Order (EO) intended to improve critical infrastructure cybersecurity. Thus, while adoption by small and medium sized entities is a laudable goal, the target audience of the Framework appeared at the workshop to be highly engaged with it.
- Tensions persist regarding the perils of "using" the Framework.
Although entities are utilizing the Framework, the specter of liability shadows many of the public conversations regarding its utility in contexts other than internal use. This manifests, for instance, in the passionate protests that were voiced when NIST officials or other participants referred to the Framework as being "adopted" or "implemented." Similarly, concerns about the Framework being – or becoming – a "standard of care" are most likely behind the common opposition to any suggestion that the Framework could be used to compare organizations' cybersecurity practices or as a benchmarking tool. Without the ability to somehow objectively measure or express an organization's use/implementation of the Framework, however, the question arises as to how it could be used to manage supply chain risk or determine eligibility for insurance or incentives, all of which were stated goals for the Framework.
- The utility of the Framework other than for internal use has yet to be proven.
Given the multitude of existing tools that may be used to communicate various levels of accomplishment within an organization, the question remains as to what incentive there is to make use of the Framework in that manner. For instance, several attendees of the workshop wondered aloud why the Framework should be used to express vendor cybersecurity requirements when existing certifications, such as those issued by the International Standards Organization, already exist.
- Entities of all sizes are frustrated by the lack of incentives to date.
In their comments responding to a Request for Information (RFI) issued by NIST prior to the workshop and in numerous statements made in the breakout sessions, attendees voiced concern about the lack of economic incentives for use of the Framework. One comment submitted in response to the RFI stated that "[d]elivering incentives for Framework use, as called for in the EO, could help drive Framework usage by creating a stronger market case for the Framework." Several participants echoed this sentiment during breakout sessions.
- NIST remains committed to the voluntary nature of the Framework and is in no hurry to make any changes to it.
NIST representatives took great care, in discussing the Framework, to make clear that their primary near-term goal is increased awareness, both nationally and internationally. Representatives were also careful to clarify that the ability to measure use of the Framework would foster "confidence" in an entity's practices rather than serve as a "conformity assessment."
Both White House and NIST officials also made it clear that there are no plans to issue a Version 2.0 of the Framework in the near term.
The sixth workshop offered attendees valuable insight into the use – and usefulness – of the Cybersecurity Framework; some of the concepts that may eventually be integrated more fully into it; as well as some of the potential obstacles to widespread adoption of the Framework as the lingua franca of cybersecurity. As with all of the previous workshops, Venable was present at the meeting and can answer any questions you or your organization may have about the Framework or its place in the legal cybersecurity ecosystem.