Roadmap (February 12, 2014)
Draft Roadmap (December 5, 2017)
Areas for Development
The following list of high-priority areas is not intended to be exhaustive. These are important areas identified by stakeholders that should inform future versions of the Framework. They require continued focus; they are important but evolving areas that have yet to be developed or need further research and understanding. While tools, methodologies, and standards exist for some of the areas, they need to become more mature, available, and widely adopted. To be effective in addressing these areas, NIST will work with stakeholders to identify primary challenges, solicit input to address those identified needs, and collaboratively develop and execute action plans for addressing them.
While new authentication solutions continue to emerge, there is only a partial framework of standards to promote security and interoperability. The usability of authentication approaches remains a significant challenge for many control systems, as many existing authentication tools are for standard computing platforms. Moreover, many solutions are geared only toward identification of individuals; there are fewer standards-based approaches for automated device authentication.
Automated Indicator Sharing
The automated sharing of indicator information can provide organizations with timely, actionable information that they can use to detect and respond to cybersecurity events as they are occurring. Sharing indicators based on information that is discovered prior to and during incident response activities enables other organizations to deploy measures to detect, mitigate, and possibly prevent attacks as they occur.
Conformity assessment can be used to show that a product, service, or system meets specified requirements for managing cybersecurity risk. The output of conformity assessment activities can be used to enhance an organization’s understanding of its implementation of a Framework profile. Successful conformity assessment provides the needed level of confidence, is efficient, and has a sustainable and scalable business case. Critical infrastructure’s evolving implementation of Framework profiles should drive the identification of private sector conformity assessment activities that address the confidence and information needs of stakeholders.
A skilled cybersecurity workforce is needed to meet the unique cybersecurity needs of critical infrastructure. There is a well-documented shortage of general cybersecurity experts; however, there is a greater shortage of qualified cybersecurity experts who also have an understanding of the unique challenges posed to particular parts of critical infrastructure. As the cybersecurity threat and technology environment evolves, the cybersecurity workforce must continue to adapt to design, develop, implement, maintain and continuously improve the necessary cybersecurity practices within critical infrastructure environments.
Several significant challenges must be overcome for the extraordinary potential of analytics to be realized, including the lack of: taxonomies of big data; mathematical and measurement foundations; analytic tools; measurement of integrity of tools; and correlation and causation. More importantly, the privacy implications in the use of these analytic tools must be addressed for legal and public confidence reasons.
Federal Agency Cybersecurity Alignment
It is important that any effort to apply the Cybersecurity Framework across the Federal government complement and enhance rather than duplicate or conflict with existing statute, executive direction, policy, and standards. It should also seek to minimize the burden placed upon implementing departments and agencies by building from existing evaluation and reporting regimes, and encourage common and comparable evaluation of cybersecurity posture across federal departments and agencies, given diverse requirements and risk environments.
International Aspects, Impacts, and Alignment
Globalization and advances in technology have driven unprecedented increases in innovation, competitiveness, and economic growth. Critical infrastructure has become dependent on these enabling technologies for increased efficiency and new capabilities. Many governments are proposing and enacting strategies, policies, laws, and regulations covering information technology for critical infrastructure as a result. Because many organizations and most sectors operate globally or rely on the interconnectedness of the global digital infrastructure, these requirements are affecting, or may affect, how organizations operate, conduct business, and develop new products and services.
Supply Chain Risk Management
Supply chains consist of organizations that design, produce, source, and deliver products and services. All organizations are part of, and dependent upon, product and service supply chains. Supply chain risk is an essential part of the risk landscape that should be included in organizational risk management programs. Although many organizations have robust internal risk management processes, supply chain criticality and dependency analysis, collaboration, information sharing, and trust mechanisms remain a challenge. Organizations can struggle to identify their risks and prioritize their actions—leaving the weakest links susceptible to penetration and disruption. Supply chain risk management, especially product and service integrity, is an emerging discipline characterized by diverse perspectives, disparate bodies of knowledge, and fragmented standards and best practices.
Technical Privacy Standards
A key challenge for privacy has been the difficulty in reaching consensus on definition and scope management, given its nature of being context-dependent and relatively subjective. The lack of risk management model, standards, and supporting privacy metrics, makes it difficult to assess the effectiveness of an organization’s privacy protection methods. Furthermore, organizational policies are often designed to address business risks that arise out of privacy violations, such as reputation or liability risks, rather than focusing on minimizing the risk of harm at an individual or societal level. Although research is being conducted in the public and private sectors to improve current privacy practices, many gaps remain. In particular, there are few identifiable technical standards or best practices to mitigate the impact of cybersecurity activities on individuals’ privacy or civil liberties.