The Cybersecurity Framework will be a living document, and the current version identifies gaps and weaknesses that will be addressed in future iterations.
When the Preliminary Cybersecurity Framework for critical infrastructure is released in February it will look “very much” like the draft version released this month, said National Institute of Standards and Technology director Patrick Gallagher.
That does not mean the framework is carved in stone, however. Gallagher said it will be a living document and will evolve to address new threats and business needs.
An entire section of the document, Appendix C, addresses “Areas for Improvement.” IT risk management is a less mature practice than other forms of security, and not all needed standards and best practices have been identified or created. Input from government, industry and academia during development of the framework have identified gaps to be addressed in future iterations.
“These initial Areas for Improvement provide a roadmap for stakeholder collaboration and cooperation” in developing new or revised standards, the framework says.
Initial areas for improvement are:
Authentication. Ensuring the identity of those accessing resources and services is a challenge in any online activity. Developing authentication schemes that are secure while remaining manageable and scalable can be daunting. “While new solutions continue to emerge, there is only a partial framework of standards to promote security and interoperability,” the framework says. Usability is a significant challenge for many control systems.
Automated indicator sharing. Information sharing is essential in securing entire industry sectors, but there is little standardization in how this is done across and between organizational boundaries.
Conformity assessment. Organizations need standardized ways to assess their level of compliance with standards that will breed confidence while being cost-effective.
Cybersecurity workforce. Even with the use of automated tools, a skilled workforce is needed to manage and protect critical infrastructure. The shortage of qualified cybersecurity experts is well known, but the shortage of those with an understanding of the unique needs of critical infrastructure is even greater. The industry needs to better understand these specific needs and to recruit and train workers.
Data analytics. Big data and the analytic capabilities of cloud, mobile and social computing offer both opportunities and challenges in analyzing cybersecurity data. Taxonomies, tools and metrics need to be developed.
International aspects, impacts and alignment. U.S. infrastructure does not operate in a vacuum, and standards, practices and expectations need to be adopted globally.
Privacy standards. Privacy and civil liberties are relatively immature areas of the framework and will get additional attention going forward. Fair Information Practice Principles offer a set of guidelines for mitigating privacy impacts, but there is a lack of standardization and metrics for implementing them.
Supply chain risk management. Organizations continue to struggle to identify risk in the supply chain and prioritize actions in addressing it.