Another sticking point is how the framework handles privacy and civil liberties issues. The most recent version of the framework has a fully developed separate appendix that lays out a methodology based on the Fair Information Practice Principles (FIPPS) established by the Federal Trade Commission, organized to correspond with the five functions and multiple categories that make up the framework's main "core."
A number of critical infrastructure providers are balking at what they contend are overly broad articulations of privacy requirements that are not relevant to the task at hand, which are perceived as detailed privacy prescriptions stricter than what many of the sectors operate under today. "Everybody feels that a lot of the data protection standards are covered in the core already," one critical infrastructure attorney said. "They are trying to shoe-horn in this stuff. It's too much for the purpose of the framework."
One privacy and cybersecurity expert, Harriet Pearson of Hogan Lovells, prepared an alternative privacy methodology based on feedback she received from a number of top critical infrastructure asset owners, which she presented during a topic specific session at the workshop. This alternative methodology strips down the privacy requirements to those strictly related to cybersecurity issues already addressed in the framework core. Most of the major critical infrastructure providers involved in the NIST effort can agree on this alternative methodology, the privacy attorney said.
Another persistent potential problem is how well small and medium-sized entities will be able to grasp the complex framework, which is modeled on advanced notions of cyber protection.
"There are twenty-two categories and ninety-seven subcategories. That's a lot for small and medium-sized businesses," Cox Communications CISO Phil Agcaoili said during a panel discussion. "For some small organizations, the person responsible for cybersecurity could be the owner's eighteen year-old son," one electric industry representative said.
NIST hosted a topic-specific working session on small and medium business considerations at the workshop and say further development of what they are now calling "framework 1.0" will continue to address this particular challenge. The framework could be modified further in this and a number of other respects as NIST gathers and reviews feedback during an open comment period, which closes December 13.
"That input will continue to shape the framework as well as a roadmap of where we need to go from here," Bob Kolasky, Senior Advisor to the Assistant Secretary for Infrastructure Protection at DHS, said during the closing panel. DHS is organizing a voluntary program to encourage adoption of the framework, a main venue for continued evolution of the framework after NIST publishes the final version. But, a number of critical infrastructure owners are skeptical of how well DHS can handle the challenge. "They haven't given us a lot of clarity of what that program involves," one communications industry representative said.
Sign up for CIO Asia eNewsletters.