I came across an interesting article by Anthony Freed on one opinion of the recently released Cyber Security Framework (CSF) NIST developed as part of the presidential executive order earlier this year. In the post Anthony summarizes the analysis and opinions of Phil Agcaoli, a founding member of the Cloud Security Alliance (CSA) and co-author of the Cloud Controls Matrix (CCM).
Phil’s key argument focuses on the fact that NIST is just reinventing the wheel. Most companies targeted for the CSF already follow some existing standard and NIST just added yet another one to the mix. Phil recommends NIST focus the CSF on helping organizations identify which of the existing standards they should follow rather than inventing a new one. Expanding on this theme, he also suggests that maybe the best solution from NIST’s perspective is to just create a light version of SP 800-53.
Regardless you have until December 13th to let NIST know your thoughts on the CSF draft.
The government shutdown has delayed efforts by the National Institute of Standards and Technology (NIST) to put forth their draft of the Federal Cybersecurity Framework (CSF), having missed the October release deadline and potentially threatening the February 2014 final document deadline mandated by President Obama’s cyber security executive order issued earlier this year.
But NIST’s delays as a result of political wrangling has not stopped one key player from pushing forward with his own proposal on how to structure the framework in a simplified manner that takes advantage of already existing standards like NIST SP800-53, ISO 27001, CCS CSC, NERC CIP, ISA 99 and COBIT, among others.
Phil Agcaoli (@Hacksec, aka PhilA) a venerated security industry leader who published his proposal on Oct. 10 to coincide with the deadline NIST missed. The full document can be downloaded here (Excel File).
Agcaoili’s Framework proposal reflects that fact that most critical infrastructure entities are already adhering to a number of valid security standards, and that the guidelines should not be so complicated that it turns into a process of essentially “reinventing the wheel.”
Should NIST focus on recommending existing standards versus creating a new one? Let us know in the comments below. Today’s post pic is from InfosecInstitute.com. See ya!