In May 2017, NIST hosted another Cybersecurity Workshop. This 2 day workshop was held as part of their process to update the Cybersecurity Framework. This process actually started a year ago when NIST had a request for comments on how the framework was used, followed by a workshop to review that input and see if there was a need for an update.
A big question was should the update be incremental (a version 1.1) or major (a version 2.0). The answer was more for an incremental update.
So this was followed by a draft v1.1 update at the end of 2016, followed by another request for comments on the draft, which lead to this workshop to review the results and do further work to get to a finished v1.1
If you wish to read the analysis of the request for comments, you can read it HERE.
What was also interesting is some of the things that occurred just before the workshop.
On the Thursday before, an Executive Order was released on Cybersecurity that will have a big impact on the use of the Framework. I'll be posting on that soon. You can read it HERE.
Then on Friday, NIST released a draft document NISTIR 8170 The Cybersecurity Framework: Implementation Guidance for Federal Agencies. As the title indicates, this document is meant to help federal agencies use the CSF, which now something that is more important in light of the new EO. You can read the draft HERE.
Now, some may not understand how these workshops work. If you have only attended security conferences, these workshops are different. Security conferences will largely have presentations and panels. These workshops have some of those, which were broadcast on YouTube. And some of the presentations are available at their site HERE. But there are no keynotes or the like.
But a big part of the work going on at the workshop happen in breakout sessions on various topics. In these sessions, participants come together to discuss a particular topic, under the guidance of 1 or 2 mediators, with a couple of people taking notes. There were 3-4 period of these sessions, with about half a dozen sessions each period. And as always, there were several sessions I wanted to attend, but had to make a decision.
The workshops are open to anyone (tho you MUST register in advance, there are no walk-ins), but the reason to go is to *participate* in these working sessions. Not be a passive listener, but to contribute in some way.
Another thing was the variety of people in attendance. You have a wide range for people, including "movers and shakers" with various organizations. While I may allude to some of the people I met, I won't mention names. So in addition to the sessions, there were chances to chat with others you met there in between, and as many of us ate in the cafeteria at NIST, there was more chances to met and talk with others, even if its "random people" you might find out are doing important stuff.
On the first day there were 2 panel sessions (these were broadcast on YouTube). For me, these 2 turned out to be more interesting then I expected. The first of these was on the use of the framework, but it turned out all the participants were from the healthcare area, which I do a lot of work in. The second one was on international use, and I didn't think it would be that interesting. Figured it would be about how this country or that was using or looking at the Framework. But one person was from Microsoft and was part of the group that oversees the ISO 27000 series of works, so hearing about some of the stuff being work on in that area was great. I wanted to speak with her further, and was able to later.
When we got to the breakout sessions, the first session I went to was on measurement, which is a new section of v1.1. In this session, there was a wide range of views of measurement & metrics. While I think everyone felt it was important, I think there was a lot of concern about having stuff in the CSF that would constrain certain organizations. There were some who felt this should be pulled out of the CSF work itself, and made available as a companion work. Uncertain how this will impact the final version of 1.1.
Next I attended the session on the future of informative references. At present there are about 5-6 informative references in the Core. But they need to be updated (CSC has already gone to version 6.0 and will soon be updating to v7 later this year). Plus there are other standards, frameworks, and regulations that need to some kind of mapping/crosswalk to the CSF. Should all be included as informative references, or just certain ones? And how to handle the other mappings/crosswalks? HHS released a mapping from HIPAA to the CSF. PCI has a mapping as well they will soon be released (they have to work out some details with NIST on this). It seems a strong view that the other groups should be the ones developing the mapping to the CSF, and not NIST.
I am hoping that they will just have a certain number, the most important, as part of the informative references in the Core, with others (regulations, and such) as available mappings that those who want to include them can do so without a lot of extra work.
This session has several interesting people at that I spoke with afterwards. There was someone from the Information Security Forum, which puts out a work called The Standard of Good Care for Information Security. Some want this work as an informative reference. While I think that would be great, I just wish this work was more readily available to people. There were people there representing ISACA (COBIT), The Open Group, CIS, and so on. I was able to speak with the person from Microsoft involved with the ISO 27000 group and got a better understanding of what was coming.
The second day there were "deep dive" topics, but instead of staying in one, I decided to do two. So in the morning on Cybersecurity Governance and the Board. In the afternoon I went to the Small and Medium Business and Cybersecurity.
In that session, one thing we got was copies of a new work from Better Business Bureau: The State of Cybersecurity Among Small Business in North America. A nice report. You can get it HERE, along with other resources. I need to post on this stuff as well.
And other resource mentioned is the new Baldridge Cybersecurity Excellence Builder, developed as part of the overall Baldridge Excellence Program. Again, I need to post separably on this.
The event wrapped up with a final session reviewing the findings and such from all the sessions. We should get a report on this in the next month or so. They put out a schedule of upcoming work, and I hope they will be putting out the final v1.1 later this year. Some of their comments give the impression they may feel the 1.1 draft may need further work. We will have to see when the report comes out.
Will we see a Workshop in 2018? No idea. Certainly some of the things that came out at this workshop may lead to a need for another that will help moving the Framework toward a 2.0 somewhere down the line. And if they feel the draft needs more work, then another workshop may happen. We'll have to see.