Need for Cyber Vulnerability Guidance in NIST Framework Debated

Commenters on the latest iteration of the National Institute of Standards and Technology’s cybersecurity framework disagree on the extent to which the framework should encourage users to develop programs to receive or solicit information about cyber vulnerabilities. In comments filed Friday, the U.S. Chamber of Commerce suggested that NIST was premature to include guidance on cybersecurity vulnerability disclosures (CVDs) in the framework draft issued in December.

The framework “conveys the sense that organizations should have programs to ‘receive, analyze, and respond to vulnerabilities disclosed to the organization from internal and external sources,’” the chamber noted. “However, there are multiple uncertainties (e.g., liability) and complications (e.g., expenses) tied to the structure and utility of CVD processes, and not all companies should be expected to have them,” the chamber said.

“Framework stakeholders ought to grapple further with the complexities surrounding CVD before it is integrated into the framework,” the chamber added.  “Not all businesses will be able to finance, staff, and manage CVD programs, and the chamber does not want to see companies dissuaded from using the framework because of unreasonable expectations.”

Other commenters disagreed. “Processes for receiving, reviewing, and responding to vulnerability disclosures should be considered a core component of modern cybersecurity plans,” said comments filed jointly by 19 organizations, including cybersecurity firms Rapid7, McAfee LLC, and Symantec Corp.; digital advocacy groups such as the Center for Democracy and Technology, TechFreedom, the Electronic Frontier Foundation, and the New America Foundation’s Open Technology Institute; and a handful of similar groups and companies.

“Establishing a coordinated vulnerability disclosure and handling process – and communicating the existence and scope of that policy publicly – can help organizations quickly detect and respond to vulnerabilities disclosed to them by external sources, leading to mitigations that enhance the security, data privacy, and safety of their systems,” the coalition said.

“Vulnerability disclosure and handling processes can also help protect researchers or accidental discoverers acting in good faith by providing them with a clear channel to communicate vulnerabilities to technology providers and operators, reducing the risk of conflict or misunderstanding,” it added.

Vulnerability disclosure was a new topic added to the second draft of “version 1.1” of the framework that was released last month (TR Daily, Dec. 6, 2017).  Originally developed to help critical infrastructure entities improve their cyber defenses, the cybersecurity framework (CSF) was required by an executive order issued in 2013 by the Obama administration.

In 2014, Congress adopted, and the president signed into law, the Cybersecurity Enhancement Act, which codified NIST’s responsibility for updating the framework.  After considering the comments filed last week, NIST expects to issue a final version of the latest update early this year.

Commenters praised the latest version for including guidance on ways for users to measure the effectiveness of various cybersecurity strategies and actions.  “We see a fundamental shift in emphasis in the newest NIST proposal away from simply promoting an undefined notion of ‘use’ of the CSF toward the much more powerful concept of effective use of the framework,” the Internet Security Alliance said. “This change of direction is critical if we are to maintain the vision of the presidential order, and the CSF itself, as a voluntary model for industry.  Businesses are not going to adopt and continue to use the framework’s standards or practices simply because a government agency says they exist.  Businesses need to know these techniques are effective and cost-effective so they can prioritize their investments.  This is impossible without metrics to judge cost-effectiveness,” the alliance said.

Likewise, the U.S. Telecom Association told NIST that the latest version of the framework was “a substantial improvement over the initial version 1.1 on which NIST sought comment a year ago, particularly with respect to the important and still-developing discipline of cybersecurity measurement.” “While draft 2 of version 1.1 addresses for the first time other important cybersecurity challenges such as supply chain risk management and coordinated vulnerability disclosure, this submission places its primary focus on cybersecurity measurement,” USTelecom said.

“Applying this maturing discipline to an organization’s self-assessment of cybersecurity risk and risk management is at the heart of individual organizations’ efforts to develop effective, customized methods to conduct cybersecurity risk management,” it added. —Tom Leithauser,

Courtesy TRDaily