Gartner Blog Network


A Few Thoughts on the NIST CSF

by Ben Tomhave  |  October 29, 2013  |  7 Comments

Pre-dating my joining Gartner, I am currently co-chair of the Information Security Committee within the American Bar Association’s Section of Science and Technology. This blog post was triggered by conversations that occurred at the Fall 2014 ISC meeting, which was held over the weekend of October 26-27 in Washington, DC. The ISC also traditionally meets the Saturday and Sunday preceding the RSA USA Conference, as well as contributing content to the Law Track of that event.

NIST last week released the most recent draft of the Cybersecurity Framework (CSF), providing an opportunity for public comment. This document was triggered by an Executive Ordered issued earlier in 2013 by President Obama, and is the result of the combined efforts of NIST, DHS, and industry contributors. The full document is available here: http://nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf

We had an interesting panel presentation and discussion on Saturday (10/26) about the CSF, which included these points:

  • In conjunction with the Safety Act, there may be some liability protection for businesses deemed to be in compliance with the CSF, assuming that a terrorist event has been declared.
  • While CSF is voluntary, it will start showing up in government contracts as soon as the CSF is final (as per the original Executive Order). Any organization working with the US Government should familiarize itself with the CSF and provide feedback now while the opportunity exists.
  • While the original Executive Order, and the CSF itself, describe the requirements as being targeted to “critical infrastructure,” enterprises should not assume that it won’t be applied to them. In part, this is because “national security” interests are continually broadening what is considered “critical infrastructure” (for example, see commentary from this NY Times piece on whether or not Google is “critical infrastructure”).
  • While voluntary, the existence of CSF, with the implied blessing or acceptance by industry, may rise to a “de facto standard” such that it could effectively set a minimum set of practices that enterprises must meet. Thus, failing to meet the details of the CSF could lead to cases accusing an enterprise of being negligent. Thankfully, CSF is not prescriptive (incredibly watered-down, in fact), but this still raises an interesting question, which the courts will inevitably be left to settle on their own.
  • It was theorized by the panel that CSF may also be integrated into the basis of cyber-insurance premiums, with “compliance” leading to discounts.
  • CSF “compliance” is an interesting topic insomuch as there’s not really any sort of certifying body, nor is there necessarily much against which one could be certified. Overall, it encourages following good practices, which all existing frameworks, standard, and guides already encourage.

In addition to the CSF, it was pointed out that the US Government does have another source of open information that may be of interest to enterprises. The National Counterintelligence Executive provides open reports that can be leveraged in crafting ongoing strategies and for integration into risk management analyses.

Overall, the industry reaction to the CSF itself has been fairly muted. The document itself is thin and incomplete. Conformance/compliance is voluntary, at least until it starts showing up in other requirements (such as government contracts). The document maps itself to prevailing frameworks like CoBIT and ISO 27001/27002, which means that organizations follow those frameworks would benefit from a quick reverse-mapping exercise to account for any reporting or future audits that might be conducted.

Beyond that, it will be interesting to see how common law evolves around the notion of “commercially reasonable security practices.” It’s not inconceivable to think that the courts might adopt CSF as an initial minimum baseline. Making sure that your enterprise can at least meet these criteria would probably be a worthwhile effort.

A great comment from the panel was this: “Don’t be the low-hanging fruit.” The CSF theoretically helps raise the bar, even if just a little bit. Whether or not it will have a significant impact overall is yet to be determined.

Category: event-notes  

Tags: 2013  aba  cybersecurity  fall  framework  isc  

Ben Tomhave
Research Director
1 years at Gartner
19 years IT Industry

Ben is conducting research within the Security and Risk Management Strategies team under Gartner for Technical Professionals.


Thoughts on A Few Thoughts on the NIST CSF


  1. Andy Bochman says:

    Just reading this piece now Ben, with help from Google. Given that we’re in mid January and NIST has announced release of the 1.0 version on Feb 12, is there anything you’d add from what you’ve learned since October? Thanks, Andy

    • Ben Tomhave says:

      It’s too early to tell, Andy. I did see a comment in passing that much of the privacy requirements have been stripped. We’ll have to wait and see what the final version holds.

  2. […] care takes a lot of time. It’s been suggested in some circles (particularly on The Hill) that the NIST CSF may fill that void (for better or worse). One challenge here, however, is that the courts are […]

  3. […] takes a lot of time. It's been suggested in some circles (particularly on The Hill) that the NIST CSF may fill that void (for better or worse). One challenge here, however, is that the courts are […]

  4. […] care takes a lot of time. It’s been suggested in some circles (particularly on The Hill) that the NIST CSF may fill that void (for better or worse). One challenge here, however, is that the courts are […]

  5. […] takes a lot of time. It’s been suggested in some circles (particularly on The Hill) that the NIST CSF may fill that void (for better or worse). One challenge here, however, is that the courts are […]

  6. […] care takes a lot of time. It’s been suggested in some circles (particularly on The Hill) that the NIST CSF may fill that void (for better or worse). One challenge here, however, is that the courts are […]



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.