For two days, April 6 and 7 2016, NIST (National Institute for Standards and Technology) hosted a workshop for the Cybersecurity Framework (CSF). This is the 7th they have held.
In developing the CSF, NIST held a series of 5 such workshops to gather feedback which was used in developing the Framework. A 6th workshop was held shortly after the Frameworks release. As part of the process in further developing and supporting the Framework, NIST put our a Call for Information (CFI) on the Frameworks use as well as solicite comments on possible improvements or revisions (say a 1.x update or a 2.0 update). This CFI ran from December to February of 2016. This workshop was held to review the outcomes of that CFI, as well as to gather further feedback.
For more info on these past workshops, go HERE. At present, their report on this workshop won't be available until mid May, however, the webcast recordings should now be available.
I was fortunate to attend this event. And this is a preliminary report on what I saw and learned. I will do a more detailed report soon. I had never attended one of these, and so was expected more in the line of presentations for some of the sessions (several were recorded for broadcast on the web), and the breakout sessions were more for information gathering/sharing. About 900 people registered, but not sure how many were in attendance. Just based on the number of id badges not claimed, seemed like maybe a third or a fourth didn't.
Some of the big topics were:
* Framework usage by various organizations. What their needs were, etc. Some things that were heard was that small orgs struggle with it, so maybe guidance is needed here (I know ITIL has this, and I've heard of this in regards to ISO 27001). Some look to having suggested sector-level Profiles developed as a target to work toward in their program. A means of assessing organization against the Framework was also asked about. It was surprising the wide range of orgs using it: private, public, government body of various sorts, and even foreign groups.
* Governance of the Framework was asked. Should NIST continue to oversee it or turn it over to another? Is the fact that NIST is overseeing it seen as a problem? Is the method NIST is using to manage/update the Framework ok? The consensus seemed to be that having NIST overseeing it at this point was fine, as well as their method.
* Update of the Framework was asked. Are people looking for an incremental update (say to a 1.1 or a 1.5) or a big update (2.0). It seemed to me that most would be open to an incremental update, say updating the information resources (CSC is now version 6, not 5; add crosswalks to other standards like HIPAA and PCI), but don't want to see a major update at this point as orgs are still trying to implement the Framework. 2.0 will probably be 2-3 years down the road. I know I said they should dump the Tiers and replace them with a proper maturity model. Some spoke of linking some of the subcategories, others were open to creating further subcategories (or splitting some existing). I heard from others their dislike of the Tiers and wanting a maturity model. So who knows? Hopefully that will be part of the next major release.
Other topics were on best practice sharing, assessment of the Framework, and others like workforce education.
I am surprised by how many organizations have jumped on the Framework. It's not like we don't already have something very similar in ISO/IEC 27001. And I see the Framework as more an overlay to things like CSC, 27001, FISMA, etc.
No idea when we will see another Workshop. Would think it will be about a year before that happens.