CybersecurityNIST to refine Cybersecurity Framework after comments from stakeholders

The National Institute of Standards and Technology (NIST) is developing a minor update of its Cybersecurity Framework based on feedback from its users. In the just-released Cybersecurity Framework Feedback: What We Heard and Next Steps, NIST is announcing that a draft of the update will be published for comment in early 2017.

NIST says that it plans to review references in the document to ensure that they are current, and per user requests, is considering clarifying the framework’s Implementation Tiers, a mechanism for organizations to gauge their approach to managing cybersecurity risk. NIST may also add guidance for applying the framework for supply chain risk management.

The need to refine and clarify small portions of the framework was evident in comments received through a December 2015 Request for Information and an April 2016 workshop (see video of event) that included 800 participants from industry, government and academia. 

NIST notes that that it developed the Framework for Improving the Critical Infrastructure Cybersecurity, commonly known as the Cybersecurity Framework, in response to Executive Order 13636. Published 12 February 2014, the framework was designed to provide voluntary cybersecurity guidance to strengthen the security of the country’s critical infrastructure such as transportation and banking. 

“We are working from all of the feedback we’ve received since the framework was published on its use, best practices, outreach, prospective updates and governance,” said Matthew Barrett, NIST Cybersecurity Framework program manager. “The minor updates we have planned for the framework should not disrupt anyone’s ongoing framework use.” 

The rich body of stakeholder feedback called for other actions that NIST will undertake:

• Publish a governance process that outlines the process of framework maintenance and evolution and defines the role of stakeholders and how they will continue to work together in the future.
• Remain as convener of framework stakeholders.
• Continue framework outreach and focus on international, small and medium-sized businesses and regulators.

Also, NIST is developing a tool to help an organization assess its cybersecurity risk management process. The Cybersecurity Excellence Builder will be based on the Cybersecurity Framework and key concepts from the NIST-developed Baldrige Performance Excellence Program. 

NIST says it recommends that stakeholders continue their work by customizing the framework for their sector or community; publishing sector or community profile documents; hosting framework meetings, workshops and conferences; advocating for the framework within a sector or community; distributing case studies of framework implementation; and sharing framework resources with NIST to add to the framework’s Industry Resources Web page.