NIST Seeks Security Framework Response

Wednesday, August 27, 2014 @ 01:08 PM gHale

It has been six months since the cybersecurity framework released and it is time to start getting some feedback.

Back in February, the National Institute of Standards and Technology (NIST) released version 1.0 of its voluntary Framework for Improving Critical Infrastructure Cybersecurity, an approach organizations of all types can use to create, guide, assess or improve their cybersecurity plans.

Security Framework Workshop in FL
IoT Devices Vulnerable to Attacks: Report
Organizations ‘More Vulnerable Than They Think’

That framework ended up developed with industry in a collaborative and open process over the course of a year, as directed by President Obama in Executive Order 13636. NIST now wants to learn any feedback about the framework.

NIST has posted to its Cybersecurity Framework website a preview version of a request for information (RFI) it intends to announce in an upcoming issue of the Federal Register. The goal of the RFI is to gain understanding of organizations’ awareness of and experiences with the framework. NIST is posting the preview to provide organizations additional time to consider the RFI.

Over the past six months, NIST has worked closely with industry groups, associations, non-profits, government agencies and international standards bodies to strengthen awareness of the framework and to promote its use as a basic, flexible and adaptable tool for managing and reducing cybersecurity risks.

“We’ve seen organizations approach the framework in different ways,” said Adam Sedgewick, senior policy analyst for NIST. “Some are using it to start conversations within their organizations or across their sectors, others to create detailed cyber risk management plans. We want to hear from all stakeholders to understand how they’ve used the framework, how it’s been helpful, and where challenges may lie.”

Responses to the RFI will affect NIST’s planning and decisions about possible tools and resources to help organizations use the framework more effectively and efficiently. They also will inform the Department of Homeland Security’s Critical Infrastructure Cyber Community C³ Voluntary Program and frame discussion at the Oct. 29 and 30, 2014, Cybersecurity Framework Workshop, in Tampa, FL.

All responses will post on the framework website after the comment period closes, 45 days after the RFI publishes in the Federal Register. NIST is looking for comments that will help to determine the framework’s usefulness and applicability throughout industry, however, it would like any input from all organizations.

In addition to feedback on the framework itself, the RFI asks for input on its accompanying Roadmap, which outlines issues and challenges that need fixing in order to improve future versions of the framework.

Leave a Reply

You must be logged in to post a comment.