It is one thing to have a published guideline for security it quite another to see it in action and that is why the National Institute of Standards and Technology (NIST) is seeking information on how users are using NIST’s voluntary “Framework for Improving Critical Infrastructure Cybersecurity.”
NIST is also seeking feedback on possible changes to the Framework and its future management.
NIST posted a preview copy of the Request for Information (RFI) to the Federal Register. The comment period opened Friday, Dec. 11 and closes Feb. 9, 2016.
Developed in response to a 2013 Executive Order, the Framework consists of standards, guidelines and practices that help organizations address cyber risks by aligning policy, business and technological approaches.
“The process to develop the Framework brought together both private and public sector organizations and resulted in a document that is being used by a wide variety of organizations,” said Adam Sedgewick, NIST senior information technology policy advisor. “We’re looking forward to receiving feedback on specific questions about its use and how it might be improved.”
The Framework released in February 2014, after a year-long, open process that included input from industry, academia and government agencies at the federal and state levels. An increasing number of organizations that are part of the nation’s critical infrastructure, including the energy and financial sectors, as well as other private and public organizations, have been using the Framework to improve their management of cyber risks.
To fulfill its responsibilities under the Cyber Security Enhancement Act of 2014, NIST is committed to maintaining an inclusive approach that incorporates the views of a wide array of individuals, organizations and sectors.
In the RFI, NIST asks specific questions about:
• The variety of ways in which the Framework is being used to improve cyber security risk management,
• How best practices for using the Framework are being shared
• The relative value of different parts of the Framework
• The possible need for an update of the Framework
• Options for the long-term management of the Framework
Responses to this RFI — which NIST will post publicly — will inform NIST’s planning and decision-making about how to further advance the Framework so the nation’s critical infrastructure is more secure and resilient.
Feedback gathered from the RFI also will assist in developing the agenda for a workshop on the Framework planned for April 6 and 7, 2016, at NIST’s Gaithersburg, Md., campus.