Based on feedback from users, a minor update is in development for the Cybersecurity Framework.
In the just released Cybersecurity Framework Feedback: What We Heard and Next Steps, the National Institute of Standards and Technology (NIST) said a draft of the update will publish for comment early next year.
NIST plans to review references in the document to ensure they are current, and per user requests, is considering clarifying the framework’s Implementation Tiers, a mechanism for organizations to gauge their approach to managing cyber security risk. NIST may also add guidance for applying the framework for supply chain risk management.
The need to refine and clarify small portions of the framework was evident in comments received through a December 2015 Request for Information and an April 2016 workshop that included 800 participants from industry, government and academia.
NIST developed the Framework for Improving the Critical Infrastructure Cybersecurity, commonly known as the Cybersecurity Framework, in response to Executive Order 13636. Published Feb. 12, 2014, the framework provides voluntary cyber security guidance to strengthen the security of the country’s critical infrastructure such as transportation and banking.
“We are working from all of the feedback we’ve received since the framework was published on its use, best practices, outreach, prospective updates and governance,” said Matthew Barrett, NIST Cybersecurity Framework program manager. “The minor updates we have planned for the framework should not disrupt anyone’s ongoing framework use.”
Stakeholder feedback called for other actions that NIST will undertake, such as:
• Publish a governance process that outlines the process of framework maintenance and evolution and defines the role of stakeholders and how they will continue to work together in the future
• Remain as convener of framework stakeholders
• Continue framework outreach and focus on international, small and medium-sized businesses and regulators
NIST is also developing a tool to help an organization assess its cyber security risk management process. The Cybersecurity Excellence Builder will end up based on the Cybersecurity Framework and key concepts from the Baldrige Performance Excellence Program.