[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: OASIS, CTI and NISTIR 8074
Hi Chet et al., The release yesterday of NISTIR 8074 on USG engagement in international cybersecurity standardization is a significant development that deserves awareness and vetting on this list. It is certainly relevant to CTI developments. See Draft NISTIR 8074, Report on Strategic US Government Engagement in International Standardization to Achieve US Objectives for Cybersecurity {Comments due 24 September 2015} Vol. I Report <http://csrc.nist.gov/publications/drafts/nistir-8074/nistir_8074_vol1_draft_report.pdf> Vol. 2: Supplemental Information for the Report <http://csrc.nist.gov/publications/drafts/nistir-8074/nistir_8074_vol2_draft_supplemental-information.pdf> In perusing these draft NISTIRs, OASIS treatment is rather perfunctory, and the CTI work that is critically important to cybersecurity isn't even mentioned. Indeed, the most active and important industry venues are not mentioned either. Conversely, most of the old warn and tired "SDOs," especially ISO, get extensive treatment. One can only imagine the activities of the interagency effort that produced this draft, that basically looks like a government bureaucratic blueprint reminiscent of the old OSI world. What seems begging in the NISTIR's approach is those critical initial steps of discovery and analysis of what is occurring globally. Agency agendas get pushed rather than putting the emphasis where it should be - on industry activities and innovative new fora such as CTI, the Council on CyberSecurity 20 Controls specification that is widely used globally. Similarly, MITRE as a critical and innovative developer of global cyber security standards process is never mentioned, much less recognized for seminal standardization work. One would hope in the ensuing dialog surrounding 8074, that a larger consideration occurs about the efficacy of methodologies being used here. Note that this is a NISTIR public comment activity for which views may be submitted by 24 Sept. <http://csrc.nist.gov/publications/PubsDrafts.html> It seems appropriate for OASIS and other members of CTI to provide their views. best, --tony ps. inquiring minds would ask, if NIST is interested in cybersecurity, why isn't it participating in the ongoing CTI work.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]