Microsoft’s Perspective on the NIST Preliminary Cybersecurity Framework: Four Recommendations for the Final Stages of Development

Last week, Microsoft filed comments with the National Institute of Standards and Technology (NIST) on the Preliminary Cybersecurity Framework, which can be read here.  I wanted to share a summary of our perspective on the Framework, as well as our recommendations to NIST as they continue development for final publication in February 2014.  These comments are a continuation of our efforts to encourage thoughtful consideration of the Framework through convening events at our Innovation and Policy Center, participating in NIST’s Framework workshops, and delivering prior comments on the Framework and recommendations for incentives for its adoption.

We commend NIST on the Preliminary Cybersecurity Framework, which represents a significant step towards outlining cybersecurity guidance for critical infrastructure and other organizations that should be broadly applicable in helping to improve cybersecurity policies, practices and procedures.  The Framework’s structure and content – particularly its reliance on international standards and well-known cybersecurity guidelines – present a baseline for organizations to develop and assess cybersecurity risk management.  We appreciate the careful integration of privacy guidance, since an effective Framework must address the privacy implications of cybersecurity activities.

In our comments we also recommended four actions that we believe will help maximize the potential benefits of the Framework for implementing organizations and others:

Expand the Framework’s security guidance related to secure engineering and asset management.  We recommended that NIST broaden its discussion on secure engineering practices.  As we’ve learned through years of implementing Microsoft’s Security Development Lifecycle, secure engineering practices reduce the number and severity of vulnerabilities in deployed technology, help establish appropriate processes to ensure maintenance and response, and improve the resiliency of the systems designed with those tenets.

Focus the Framework’s privacy guidance.  We recommended that NIST focus the scope of the Framework’s privacy guidance to better align with the scope of the Executive Order’s instructions to NIST regarding privacy in the Framework.  As currently drafted, the Framework introduces a broad spectrum of provisions that would create unnecessary, onerous compliance costs and risk discouraging organizational adoption of the Framework.  In our comments, we offer suggestions about how to better align and integrate the Framework’s security and privacy guidance.

Streamline the Framework’s structure.   We recommended two structural changes that NIST consider for the final Framework.  First, NIST should integrate Appendices A and B into a unified Framework that is inclusive of both security and privacy guidance.  This integration would create an opportunity for implementing organizations to consider privacy as an inherent element across all functions in the Cybersecurity Framework.  Second, NIST should define “adoption” in the Framework Glossary.  Borrowing from language set forth in Appendix A of the Preliminary Framework, this definition should emphasize that organizations can adopt the Framework to support their risk management goals and needs. 

Allow an additional opportunity for public comment on the revised Framework.  Finally, we recommended that NIST consider an interim release and comment period for the near-final Framework prior to its delivery in February.  As the structure and content (particularly with respect to privacy) are likely to change significantly, an interim release would aid organizations who are working to determine whether and how to implement the Framework in their organizational policies, practices and procedures.

We commend NIST on this milestone.  We especially appreciate NIST’s exceptional transparency and deep engagement with the private sector in the development of the Framework. We look forward to continued partnership with NIST and other government agencies on the Framework and related initiatives to strengthen the resiliency of critical infrastructure.

Paul Nicholas
Senior Director, Global Security Strategy
Microsoft Corporation

About the Author
Paul Nicholas

Senior Director, Trustworthy Computing

Paul Nicholas leads Microsoft’s Global Security Strategy and Diplomacy Team, which focuses on driving strategic change, both within Microsoft and externally, to advance infrastructure security and resiliency. His team addresses global challenges related to risk management, incident response, emergency communications, Read more »