Attached below are the Center for Regulatory Effectiveness’ comments on the Second Draft of the CAESARS Framework Extension (NIST Interagency Report 7756). The goal of the CAESARS FE document “is to facilitate enterprise continuous monitoring by presenting a reference model that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness.”
CRE’s comments explain that “one reason why the CAESARS FE is an important IT security document is that it was written to be useful to industry as well as government.” CRE further explains that the need for government and industry to share commonly applicable IT security models was recently highlighted in an audit report from the Department of Energy’s Office of Inspector General in which the Department noted that “there are currently no Federal or state standards or regulations that mandate cyber security processesor practices for electric distribution systems.”
CRE’s recommendations on the revised draft document include:
1. Use the term Information Security Continuous Monitoring (ISCM), consistent with SP 800-137, in lieu of Continuous Monitoring.
2. Add a section discussing applicability of the CAESARS FE reference model to Big Data.
3. Define “Effectively Implemented ISCM” as:
A risk management approach to Cybersecurity that uses automated data feeds to maintain a current picture of an organization’s security posture by making available for analysis all system interactions and non-actions which could compromise organizational effectiveness while providing visibility into assets, monitoring effectiveness of security controls, assisting in prioritizing remedies, and supporting protective actions.
4. State that the first essential characteristic of an effectively implemented ISCM is:
Maintains a current picture of an organization’s security posture.
5. Expand the CAESARS Reference Architecture to include reference to tools for extracting, parsing and/or otherwise manipulating subsystem sensor data in preparation for analysis.
CRE Comments on CAESARS FE (second draft)