The real benefit of the cybersecurity framework released last week by the National Institute of Standards and Technology (NIST) will come when businesses and organizations use it with their partners and suppliers, Adam Sedgewick, principal organizer of the framework effort at NIST said yesterday. Speaking at our webinar (replay available) on the NIST framework, held jointly with the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), Sedgewick said “ I think people have realized more and more that this is a pretty broad ecosystem.”
“What I hope we will see is that it will be used in business to business conversations. That’s where this approach can really scale, where it is not tied to one or two government agencies. That’s kind of the moonshot here and what we’re really hoping for.”
Even though the water sector has developed its own cybersecurity guidance, the NIST framework should prove to be a useful “anchor” on key cybersecurity issues, Kevin Morley, Security & Preparedness Program Manager, American Water Works Association said. “We believe that it provides a very useful anchor on some principles” even if at “an applied level it may be a little abstract.”
The electric sector, which has its own mandatory cybersecurity standards in the form of NERC-CIP (National Electricity Reliability Corporation Critical Infrastructure Protection) requirements, was pleased to see that NIST made efforts to map the framework to those requirements during the development process, Laura Brown, Manager of CIP Policy and Coordination for NERC said. “We’re happy…that the White House and NIST acknowledge that we have these standards.”
Involving top management in use of the framework is critical to its success, Kent Landfield, Director, Content Strategy, Architecture and Standards, McAfee Labs, said. “It’s not something you want to do with a bunch of techies off to the side.”
Getting a realistic grip on the level of the organization’s cybersecurity maturity is likewise crucial to the framework’s success. “Honest evaluation is critical,” Landfield said. “You need to be accurate with where you stand today. If you’re a one [in terms of the framework’s implementation tiers], put it as a one. If you are not using the tool correctly, you’re not getting the most out of it.”
The implementation tiers in the framework, which “rate” an organization on how highly evolved its cybersecurity protection schemes are, could prove to be a disincentive to smaller organizations, Morley said. “We have concerns a little bit with the tiering structure. From our perspective this may be a disincentive for action” because people are afraid their organizations will look bad if they rate lower on the scale.
From an industrial control sector perspective, the framework “is good for a number of reasons because it furthers the motion of the machinery in the U.S. public sector,” Chris Blask, chair of the ICS-ISAC said.
“For our purposes it’s helping our membership and by extension the people they are in contact with.”