Slashdot Mirror

← Back to Stories (view on slashdot.org)

Touting Government/Industry 'Partnership' on Security Practices, NIST Drafts Cybersecurity Framework Update (scmagazine.com)

Posted by EditorDavid on from the justice-leagues dept.

Remember NIST, the non-regulatory agency of the U.S. Department of Commerce? Their mission expanded over the years to protecting businesses from cyberthreats, including a "Cybersecurty Framework" first published in 2014. "The original goal was to develop a voluntary framework to help organizations manage cybersecurity risk in the nation's critical infrastructure, such as bridges and the electric power grid," NIST wrote in January, "but the framework has been widely adopted by many types of organizations across the country and around the world." Now SC Media reports: The second draft of the update to the National Institute of Standards and Technology's cybersecurity framework, NIST 1.1, is meant "to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use," according to NIST. Specifically, it brings clarity to cybersecurity measurement language and tackles improving security of the supply chain. Calling the initial NIST CSF "a landmark effort" that delivered "important benefits, such as providing common language for different models" of standards and best practices already in use, Larry Clinton, president and CEO of the Internet Security Alliance, said "it fell short of some of the most critical demands of Presidential Executive Order 13636, which generated its development...

"To begin with, the new draft makes it clear that our goal is not some undefined metric for use of the Framework, but for effective use of the Framework. Moreover, this use-metric needs to be tied not to some generic standard, but to be calibrated to the unique threat picture, risk appetite and business objective of a particular organization"... Clinton praised the process used by NIST as "a model 'use case' for how government needs to engage with its industry partners to address the cybersecurity issue." The internet's inherent interconnectedness makes it impossible for sustainable security to be achieved through anything other than true partnership, he contended.
Slashdot reader Presto Vivace reminds you that public comments on the draft Framework and Roadmap are due to NIST by 11:59 p.m. EST on January 19, 2018. "If you have an opinion about this, NOW is the time to express it."

15 comments

  1. NIST is not trustworthy. by Anonymous Coward · · Score: 0

    the 911 report shows that.

    1. Re:NIST is not trustworthy. by Anonymous Coward · · Score: 0

      NIST SET US UP TEH BOMB

    2. Re: NIST is not trustworthy. by Anonymous Coward · · Score: 0

      NIST helped perpetrate the Dual_EC attack on crypto - effectively the whole country as their target. Fuck 'em - https://en.m.wikipedia.org/wiki/Dual_EC_DRBG

    3. Re: NIST is not trustworthy. by Anonymous Coward · · Score: 0

      Remember that time that the corrupted shitbags at NIST helped commit treason and attacked the American people?

      Yeah. I remember.

    4. Re:NIST is not trustworthy. by Anonymous Coward · · Score: 0

      NIST is responsible for widespread airbag fraud.

  2. How Can We Trust a Government by Anonymous Coward · · Score: 0

    That hacks us and uses blanket surveillance to undermine our privacy and security (NSA) on the one hand and then with the other (NIST) tells us that they care about our security? Genuine open source security advice or assistance helps both good guys and bad guys. We know that, so must the government. So how can we trust the value of their security advice? It's a good question.

  3. First two words of the summary shows ignorance by Anonymous Coward · · Score: 0

    "Remember NIST?"

    Yeah, if you are anywhere in the vicinity of the cybersec industry, or have even an inkling of a clue about cybersec, you know what NIST is and don't need to "remember" it.

  4. "Fascism is the merger of ... by Anonymous Coward · · Score: 0

    ... government and industry." -- Benito Mussolini, father of faschism

    Today, we also call it "privatization". Or "lobbyism"/"revolving doors".

  5. This is trivial, boring but important by sinij · · Score: 2, Interesting

    This standard is trivial, very basic, and very important. Why? Because any NIST standard becomes lowest bar to clear for compliance. So by releasing standards like this they make it harder for unscrupulous companies like Equifax to get insurance.

    1. Re:This is trivial, boring but important by Anonymous Coward · · Score: 1

      Strokes the ego, but the parent post is not correct. NIST standards are not trivial or basic. It takes a team of people with masters level understanding to implement them. Very few companies come close to NIST framework levels of competence. Very few. I make my living getting them up when the board really cares about security. No reasonable company would purchase insurance that requires compliance to a security standard, as security is dealing with unknown unknowns. Lack of absolute compliance, in the beancounter sense, can always be proven.

      Secondly, NIST standards are expected to be customized to organizational contexts and requirements. They are intentionally as thorough as a generic solution could possibly be. Their competitors are the expensive and inferior ISO standards or proprietary corporate consultant offerings that are even worse.

      Security standard frameworks are terribly important, undervalued, and underutilized.

    2. Re:This is trivial, boring but important by Anonymous Coward · · Score: 0

      You #55712101, are probably correct, but I submitted an update anyway. I requested that 'should' be replace with 'shall' or 'must' and that a dictionary addendum be added so that the meaning of the words cannot be changed by certain, highly funded, government departments.

    3. Re:This is trivial, boring but important by Anonymous Coward · · Score: 0

      ...so that the meaning of the words cannot be changed by certain, highly funded, government departments.

      Bwaaahaahaahaa!

      Look at how the meaning of the words in the US Constitution have been tortured and/or outright ignored! ...And you think adding a dictionary definition is some kind of fix?

      Wait.

      Let me laugh even harder!

      Bwaaaahaaaahaaaaahaaaaa -gasp- ..Haaahaaahaaahaaaaaa!!!!

    4. Re:This is trivial, boring but important by Anonymous Coward · · Score: 0

      Except that you didn't read even the title of the PDF and this is literally the worst summary ever.

      This isn't about software but infrastructure - I think they are talking about the energy network and transportation, etc.

      There already are plenty of standards and guidelines for serving software applications and handling customer data. SOC, ISO27001, PCI-DSS, OpenSAMM, BSIMM, Common Criteria, FIPS, and even the security recommendations of what is it, NIST 800-30 or whatever the software security guidelines.

  6. Supply chain by manu0601 · · Score: 1

    TFA will not tell anything more precise than that it improves security of supply chain. You can skip that read or directly jump to the NIST document.

  7. NIST and NSA by Agripa · · Score: 1

    Is this the same NIST which cooperated with the NSA to subvert cryptographic standards for decades? Yea, no thanks.