NIST Releases Cybersecurity Framework Feedback
The National Institute of Standards and Technology (NIST) has released its analysis of the feedback received to date on its Cybersecurity Framework. The Framework, issued on February 12, 2014 under the President’s Executive Order on Improving Critical Infrastructure Cybersecurity , is a set of voluntary guidelines, developed through stakeholder processes based on existing standards, guidelines, and practices, for reducing cybersecurity risk for organizations within critical infrastructure sectors. To assess how well the Framework is being implemented, NIST sought written comments and held an in-person workshop. On December 5, 2014, NIST released its summary of this feedback and its plans for the Framework.
Comments indicate that there is a “general awareness” of the Framework among critical infrastructure owners and operators, but that “more could and should be done” to increase awareness, through both government and industry-led efforts. Some comments suggested the use of additional resources and “real world” applications of the Framework to increase awareness.
NIST found that organizations are using the Framework in a variety of ways, including raising awareness of cyber risks, communicating with vendors, strategic planning, and benchmarking performance.
There was “widespread agreement” that it was too early to update the Framework. Instead, NIST will focus on providing clarification and guidance on how to use the Framework. Some commenters expressed concern that the Framework would result in duplicative regulation and recommended outreach that NIST reach out to regulators to avoid additional regulation.
Comments also addressed NIST’s “roadmap” of additional, high-priority areas for development to complement the Framework, such as authentication, supply chain risk management, and privacy.
For its next steps, NIST expects to continue efforts to raise awareness of the Framework, through partnerships with other organizations, the development and dissemination of information and training materials that advance use of the Framework, and additional workshops and webinars.
