Another concern is that the framework fails to prioritize cybersecurity spending. "Where do I spend my next marginal dollar?" Larry Clinton, head of the Internet Security Alliance asked. "The framework doesn't tell them. I think in two years we're not going to see a substantial reduction in anything."
One group, Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), is worried that the framework misses a very important first cybersecurity step: situational awareness. "The framework is largely a reflection of existing standards and practices and situational awareness is not as completely spelled out as it should be in the long run," Chris Blask, Chair of the ICS-ISAC said.
These and other concerns will continue to be aired under NIST's auspices over the coming months as it continues to fulfill a role as a "convener" as it hand off responsibility to other government groups. NIST may also host another public workshop in the next six months to review stakeholder experience, implementation progress and questions around long-term governance with what it calls Version 1.0 of the framework.
Sign up for Computerworld eNewsletters.