Much to its credit NIST has:
— made public in a very accessible forum (not regulations.gov) all the comments it received from the public in response to its Request for Information.
— conducted an in-depth review of the comments it received and presented them in an easily understandable format.
NIST raised a question which CRE has been exploring with a number of international organizations, namely:
| What role(s) do or should national/international standards and organizations that develop national/international standards play in critical infrastructure cybersecurity conformity assessment? |
The aforementioned actions are a step forward.
However NIST failed to address recommendations made by CRE which would ensure that the NIST recommendations are voluntary not regulatory mandates. In particular NIST refused to address the two key recommendations of CRE namely:
1. Administrative Appeals Process. NIST needs to establish an administrative process which allows organizations, if needed, to seek and obtain correction of decisions on determining Industry Best Practices.
2. Conformity Self-Certification. The Framework needs to include a process by which each critical infrastructure company can determine how best to verify their conformity with Industry Best Practices in lieu of expensive and burdensome third-party certification.
CRE will continue to work with NIST to have them take actions which will virtually guarantee that its standards are voluntary not mandatory.
Leave a Reply