But, in general, the industry wants NIST to avoid making any changes at all to the choose-your-own-adventure document that has guided risk management and U.S. cybersecurity policy for almost a decade.
The trade association representing the nation’s largest internet service providers asked the National Institute of Standards and Technology to connect its landmark cybersecurity framework—a menu of security controls for organizations’ voluntary implementation—to performance goals the Biden administration told NIST to publish for critical infrastructure.
“The current CSF is effective and therefore changes should be minimal,” USTelecom wrote in comments to NIST. “If changes to the CSF are seen as unavoidable, however, then NIST should address backward compatibility issues, especially as related to other U.S. government efforts. It is particularly important to ensure that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency can map its cross-sector control system cybersecurity performance goals and sector-specific performance goals to the CSF, without the mapping becoming obsolete a short while later.”
A public comment period NIST opened to receive feedback on the framework originally published in 2014 ended Monday. Comments shared with the agency will also shape NIST’s work fulfilling other obligations under Executive Order 14028, including those focussed on securing the software supply chain.
“This wide-ranging public-private partnership will focus on identifying tools and guidance for technology developers and providers, as well as performance-oriented guidance for those acquiring such technology,” NIST wrote in the comment solicitation.
NIST has already suggested agencies take the word of government vendors as part of the administration’s “zero-trust” campaign.
The establishment of performance goals is the Biden administration’s attempt to follow through and pick up where President Barack Obama left off in assuming private sector entities might already be incentivized to improve their cybersecurity, because of risks they’d face to their reputations and general business operations if they didn’t address weaknesses. Congress is also now considering how the government might apply performance goals or standards in managing the security of “commercial” information and communications technology, a category that often includes major ISPs and cloud service providers. When Obama ordered the creation of the cybersecurity framework, he also barred such technology from being governed as “critical infrastructure.”
At a time when CISA and the cybersecurity community have been stressing the possibility of very real physical impacts from cyberattacks, and—in general— a more comprehensive approach to addressing systemic risk, USTelecom’s comments also recommended use of the cybersecurity framework be conducted in a vacuum from other risk considerations.
“The CSF should not itself be expanded to address non-cyber risks because doing so could hinder its cyber-specific utility,” wrote Paul Eisler, USTelecom’s senior director for cybersecurity. “Businesses face an array of financial, reputational, workforce, pandemic-related and other risks. The CSF should not be expanded to address other risks, but rather should serve as a model for a voluntary, flexible framework.”