Industry Urges Changes to NIST Framework Update

The government’s cyber standards agency should add a section to its cybersecurity framework promoting best practices for organizations to receive digital vulnerability reports from security researchers, a coalition of cyber companies and advocacy groups said Monday.

That section should include processes for receiving, reviewing and responding to vulnerability disclosures, according to the comments signed by cybersecurity firms Symantec, Tenable and Rapid7 as well as digital rights group including the Electronic Frontier Foundation, the Center for Democracy and Technology and New America’s Open Technology Institute, among others.

The comments came in response to a request for public feedback on the framework update from the National Institute of Standards and Technology.

NIST released its cybersecurity framework to great fanfare in 2014. It’s essentially a best-practices guide for industry to ensure its cybersecurity practices are up to snuff. The framework has been adopted in some form by about 30 percent of U.S. companies since its release and that number is expected to reach around 50 percent by 2020.

NIST officials have described the update as a 1.1 version that will respond to changes in the cyber landscape and feedback from industry since the framework’s initial release.

“Establishing a coordinated vulnerability disclosure and handling process—and communicating the existence and scope of that policy publicly—can help organizations quickly detect and respond to vulnerabilities disclosed to them by external sources, leading to mitigations that enhance the security, data privacy and safety of their systems,” the organizations said.

Numerous organizations rushed to comment on the framework update ahead of a Monday deadline. NIST expects to hold more public meetings on the framework update before releasing a final version in fall of 2017.

The cybersecurity firms Intel and McAfee critiqued several parts of the update, saying they’re not fleshed out enough to be useful yet, especially a section on “measuring and demonstrating cybersecurity.”

The U.S. Chamber of Commerce also expressed concerns about the metrics section, saying it could leave companies confused about how and when regulators could access their cybersecurity data.

The National Association of Federally-Insured Credit Unions warned the increased focus on measures and metrics might be a poor fit for heavily regulated organizations such as credit unions working with sector-specific measurements.  

Chamber members are also concerned policymakers will use efforts to monitor industry adoption of the framework as an invitation to mandate framework use in particular sectors, the business organization said.

NIST officials have regularly stressed the framework should be flexible and voluntary, but lawmakers and other executive branch officials have sometimes discussed making portions of it mandatory for some regulated sectors. A leaked draft of a Trump administration executive order on cybersecurity contemplated making framework compliance mandatory for government agencies.

The chamber also suggested the government create metrics to measure how well it is deterring criminals and adversary nations from targeting U.S. organizations with cyberattacks.

Intel and McAfee also suggested a more international focus for the framework and a standardized process for updating certain elements of the framework without re-issuing the entire thing.

The companies urged against including recommendations specific to government agencies, saying that might inhibit the framework being used as widely as possible.