The FISMA Focus IPD

The National Institute of Standards and Technology has issued its initial analysis of comments on plans for a cybersecurity best practices framework that President Obama ordered to be developed.

The analysis comes in time for a NIST workshop May 29 to 31 at Carnegie Mellon University in Pittsburgh, where efforts to draft the framework will begin.

“That’s really where we roll up our sleeves and take our preliminary analysis … and start to drill down into the substance that will actually be used to create the tool framework,” Donna Dodson, chief of NIST’s computer security division and deputy chief cybersecurity adviser, says in an interview with Information Security Media Group before the initial analysis was issued [see transcript below].

A preliminary version of the framework, which the owners of the nation’s critical IT infrastructure could voluntarily adopt, is scheduled to be published in the fall, with the final version of the framework slated to be issued next February.

According to the Initial Analysis of Cybersecurity Framework Request for Information Responses, issued late last week, the key principles include:

1. Providing flexibility, which should apply across multiple sectors and across the diverse group of stakeholders.
2. Having an impact on global operations, which one stakeholder says should be approached on a consistent and cohesive basis across geographies as well demonstrate a commitment to the global standardization process.
3. Adopting a risk management approach. “Balancing the need to deploy risk-appropriate security controls against deploying those mandated by regulatory or contractual obligations is one of the greatest challenges to improving cybersecurity practices,” another stakeholder says.
4. Leveraging existing approaches, standards and best practices to information security. Owners and operators of critical infrastructure should not have to manage overlapping or duplicative approaches, dual standards and conflicting requirements.

“Initially, we’re looking at the cross cuts, those standards and best practices that will apply across the board,” says Dodson, who’s leading a federal government effort to take hundreds of suggestions from the private sector to create an IT security best practices framework that critical infrastructure operators could voluntarily adopt. “Then, we go from that generalized approach into the specifics needed for different critical sectors.”

In the executive order issued in February, Obama directed NIST to work with industry to establish the best IT security practices to protect the nation’s critical infrastructure.

In the interview, Dodson discusses the:

• Steps being taken to work with industry to develop the framework;
• Importance of the private-sector submissions on creating IT security best practices; and
• Goals of the workshops.

At NIST, Dodson oversees the institute’s cybersecurity program to conduct research, development and outreach necessary to provide standards, guidelines, tools, metrics and practices to protect the information and communication infrastructure. Under her leadership, the division collaborates with industry, academia and other government agencies in research areas such as security management and assurance; cryptography and systems security; identity management; security automation; secure system and component configuration; test validation and measurement of security properties of products and systems; security awareness and outreach; and emerging security technologies.