Critical-infrastructure leaders and others have provided feedback on the voluntary, federally led Cybersecurity Framework at the invitation of the National Institute of Standards and Technology (NIST). Today NIST published an analysis of the comments, which affirm the frameworks' current uses, recommend refinements, and suggest future directions.
In February 2014, NIST published the Cybersecurity Framework as called for by Executive Order 13636. The goal of the framework is to minimize risks to the nation's critical infrastructure, such as the transportation, banking, water and energy sectors. The executive order directed NIST to work with stakeholders across the country to develop the voluntary framework based on existing cybersecurity standards, guidelines and best practices.
"We received 105 comments from a diverse group that included local, state national and international governments, a cross section of the critical-infrastructure community, and a number of other types of organizations," said Matthew Barrett, NIST's program manager for the Cybersecurity Framework. "The responses actually represent thousands of organizations because a large number of industry organizations submitted comments on behalf of all of their member companies."
NIST's December 2015 Request for Information on the Cybersecurity Framework called for comments on using the framework to improve cybersecurity risk management, sharing best practices, and long-term governance of the framework.
In the Analysis of Cybersecurity Framework RFI Responses, NIST identifies 10 recurring themes among the responses and provides an explanation of each, along with associated key terms and example responses.
While perspectives varied on whether it would soon be time for a framework update, respondents agreed on the need for a collaborative update process, similar to the initial development process, and with minimal disruption to current industry use, as explained in the document. Some commenters said the focus should be on clarifying use of the framework, in particular for supply chain risk management and when using Implementation Tiers.
Respondents discussed the relationship between the framework and regulatory requirements. For example, respondents discussed the possibility that it could enable multiple regulatory agencies to align diverse requirements in the regulatory process. But respondents also called for "caution against the potential for regulation to add burdens on their organizations," according to the analysis.
Other themes focused on sharing additional information about framework use and best practices. Respondents requested more guidance on framework implementation, particularly for small- and medium-sized businesses. Another theme covered the need for continued international alignment and harmonization of cybersecurity standards.
Commenters were comfortable with NIST's current leadership but wanted to consider transition in the future. The consensus was that the future steward of the framework should be a respected, internationally recognized, neutral third-party organization.
"These comments provide strong input for the framework's future and revealed that the number of organizations using the framework is growing," said Barrett.
To kick off discussion at its upcoming Cybersecurity Framework Workshop 2016, the report released today includes questions related to each of the themes. The workshop will be held at NIST's Gaithersburg, Md., campus April 6-7. The draft agenda and registration information is available. Two optional seminars on Tuesday, April 5, will provide an overview of the framework with time set aside for questions. Registration closes March 30, 2016.
All RFI responses are available on the Cybersecurity Framework web page.