The BSA-The Software Alliance addresses the challenge of updating the cybersecurity framework with new material while keeping it concise and user friendly, in comments to NIST on the agency’s efforts to craft “CSF 2.0.”
“As NIST considers whether and how to update the Framework, BSA urges NIST to do everything in its power to do ensure that the Cybersecurity Framework remains the host helpful 21 pages in cybersecurity. Too often documents increase in volume but decline in value. One important source of value the Cybersecurity Framework provides is only including the cybersecurity information that NIST and its stakeholders identify as the most important,” BSA told NIST on Monday in its submission on the cybersecurity framework update.
BSA said, “It would be detrimental to the value of the Framework, and consequently to the cybersecurity ecosystem, if the Framework were to grow beyond its current length. BSA understands that limiting the length of the document creates a significant challenge -- but it is precisely NIST’s ability to meet that challenge, to include only the most important concepts, language, and references, that create value.”
NIST sought input on the development of CSF 2.0 in a February request for information, including on how to incorporate NIST guidance on risk management developed after the release of CSF 1.1 in 2018.
BSA proposes “using software to build a navigable NIST Cybersecurity Framework Ecosystem that could also link and show the relationship between the Cybersecurity Framework, the Risk Management Framework, and the Privacy Framework, as well as mappings, links, informative references, etc.”
The trade association also recommends mapping or reconciling the cybersecurity and risk management frameworks “to clearly show the relationship between the documents.” BSA said, “NIST should discuss further the broader DevSecOps ecosystem, including how enterprises should consider software factories” as part of the update.
BSA said “further explanation of how threat and vulnerability assessments plug into the Framework, as well as additional informative references for effective threat and vulnerability assessments would improve the Framework.”
“While information sharing should remain voluntary (based on an organization’s cost-benefit analysis of legal, cybersecurity, and other tradeoffs), further discussion on the benefits of sharing information might incline more organizations to share information, and consequently improve the cybersecurity ecosystem as a whole,” BSA said.
On supply chain, BSA said, “To reiterate, as NIST integrates more information into the Framework, it is important to ensure the Framework does not grow past the point of diminishing marginal returns. Too often government policies take a ‘more is better’ approach to improving cybersecurity, and an important driver of the value the Cybersecurity Framework creates is in removing information that is less impactful so that organizations can focus on actions that are more impactful. “
That being said, explaining where and how cybersecurity supply chain risk management (C-SCRM) fits in to the five functions, and how its consideration might impact an organization’s implementation tier would improve the Framework. NIST should particularly consider the subcategory ID.BE: The organization’s role in the supply chain is identified and communicated. Further, identifying priorities within NIST’s current C -SCRM guidance, would add value to the Framework,” BSA said.
Major trade groups and individual organizations have submitted comments to NIST on aspects of CSF 2.0 including the U.S. Chamber of Commerce, the Information Technology Industry Council and USTelecom. -- Sara Friedman (sfriedman@iwpnews.com)