OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: OASIS, CTI and NISTIR 8074


Hi Chet et al.,

The release yesterday of NISTIR 8074 on USG
engagement in international cybersecurity
standardization is a significant development
that deserves awareness and vetting on this
list.  It is certainly relevant to CTI developments.

See Draft NISTIR 8074, Report on Strategic US
Government Engagement in International
Standardization to Achieve US Objectives for
Cybersecurity {Comments due 24 September
2015}
Vol. I Report
<http://csrc.nist.gov/publications/drafts/nistir-8074/nistir_8074_vol1_draft_report.pdf>
Vol. 2: Supplemental Information for the Report
<http://csrc.nist.gov/publications/drafts/nistir-8074/nistir_8074_vol2_draft_supplemental-information.pdf>

In perusing these draft NISTIRs, OASIS
treatment is rather perfunctory, and the CTI
work that is critically important to
cybersecurity isn't even mentioned.   Indeed,
the most active and important industry venues
are not mentioned either.  Conversely, most of
the old warn and tired "SDOs," especially
ISO, get extensive treatment.

One can only imagine the activities of the
interagency effort that produced this draft,
that basically looks like a government
bureaucratic blueprint reminiscent of the old
OSI world.

What seems begging in the NISTIR's approach
is those critical initial steps of discovery
and analysis of what is occurring globally.
Agency agendas get pushed rather than putting
the emphasis where it should be - on industry
activities and innovative new fora such as
CTI, the Council on CyberSecurity 20 Controls
specification that is widely used globally.
Similarly, MITRE as a critical and innovative
developer of global cyber security standards
process is never mentioned, much less
recognized for seminal standardization work.

One would hope in the ensuing dialog
surrounding 8074, that a larger consideration
occurs about the efficacy of methodologies
being used here. Note that this is a NISTIR
public comment activity for which views may
be submitted by 24 Sept.
<http://csrc.nist.gov/publications/PubsDrafts.html>

It seems appropriate for OASIS and other
members of CTI to provide their views.

best,
--tony

ps. inquiring minds would ask, if NIST is
interested in cybersecurity, why isn't
it participating in the ongoing CTI work.





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]