Cybersecurity Leader Offers Alternative Version to NIST Framework



Phil Agcaoili (pronounced "Agg-Ca-Willy") is doing his best to push things forward with the cybersecurity framework process underway at the National Institute of Standards and Technology (NIST). The much-lauded cybersecurity leader, who sold his first cybersecurity company to Verisign for $70 million in 1998, making him a comfortable man in his mid-20s, has made a public shot across the bow of NIST's effort to craft a comprehensive cybersecurity framework for critical infrastructure as mandated under President Obama's February 2013 cybersecurity executive order (EO).

At midnight last night, Agcaoili posted on the Internet his own draft cybersecurity framework (download spreadsheets here) that he contends is a simpler, better version of the one that NIST has been working on since February.  He said that his framework, which he has vetted with the top cybersecurity professionals and standards-setting bodies in the world, actually meets the EO's goal, which is to produce a "prioritized, flexible, repeatable, performance based, and cost effective" scheme.

The timing of Agcaoili's is no coincidence - under the EO NIST was required to publish a draft of its framework in 240 days, or on October 10th, yesterday.  Due to the government shutdown, NIST has ceased all work on the framework, which must be finalized by February, and has shuttered its framework website (see image above).  If NIST aims to meet the February deadline despite the delay, as some reports indicate, there is little time to make effective changes in the framework, which, while currently voluntary, could ultimately become mandatory for many critical infrastructure industries through regulatory machinations.

"We're not shutting down on the Internet," Agcaoili said, referencing the fact that interested commenters no longer have access to the materials that NIST has developed and on which NIST is seeking public comment. Agcaoili said he released his alternative framework as a private citizen.

"I was making a statement on many levels on what a private citizen can do, what the government doesn't have to do," he said.

Agcaoili is echoing the view held by many cybersecurity practitioners inside critical infrastructure entities (as opposed to Washington representatives or Beltway consultants or government officials) that the NIST framework is simply "reinventing the wheel" and will make cybersecurity more, not less, difficult.  He said his framework consists of nothing more than well-honed cybersecurity components that already "exist in the wild" and for which most critical infrastructure entities already seek certification.

Specifically, Agcaoili's framework hinges on six core schemes:  ISO/IEC 27001-2005, COBIT 4.1, NIST SP800-53 R3, CCS CSC, NERC CIP and ISA 99.  In addition, he has factored in three key privacy standards -- GAPP (August 2009), AICPA TS Map, AICPA Trust Service Criteria (SOC 2SM Report). The latest version of the NIST framework is generic when it comes to privacy, despite the EO's requirement that NIST ensure privacy requirements are built into the framework.

"If you’re already following SANS, if you’re already following ISO, if you’re already following NERC-CIP you’re following the framework," he said.  "We've done it in the industry all along."

Much of Agcaoili's framework is based on technical "mapping" work performed by the Cloud Security Alliance (CSA), which has attempted to pull together the sometimes incoherent mass of cybersecurity standards into a comprehensible whole so that cybersecurity professionals can more easily know how to secure their networks and systems.  Agcaoili began to vociferously promote a CSA-type approach in San Diego in July at one of the four workshops NIST has held since the EO was signed.

He said he does have the support and backing from a host of cybersecurity luminaries and standards group. Agcaoili named these individuals and groups--and they are impressive--with the same rapid-fire and encyclopedic knowledge he uses to discuss the vast, arcane and complex world of cybersecurity standards and practices.

Asked why he has taken this bold step, Agcaoili said "so that people can pick it up and use it.  So we can actually defend our country and stop all the fracturing that’s going on."

Note:  This headline and some of the article text has been modified since its original publication.

Twitter Delicious Facebook Digg Stumbleupon Favorites More