Over the past few months, NIST has been seeking feedback on the use and improvements to its cybersecurity resources through the Request for Information (RFI) on “Evaluating and Improving NIST Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management.” In this RFI, NIST asked about evaluating and improving the NIST Cybersecurity Framework (CSF or Framework), use of the Framework in conjunction with other resources, and improving supply chain cybersecurity risk management. The RFI garnered 134 comments (at date of publication) from a diverse range of stakeholders. A team that included staff who lead every major NIST cybersecurity and privacy framework and publication pored over these comments—and NIST staff held one-on-one listening sessions with stakeholders to expand on the written comments. Adjudication of the comments will continue over the next several months, but in the near term, NIST has released a summary analysis document that will guide our work. You can check out the analysis on the CSF website.
The comments in response to the RFI will drive multiple efforts at NIST; they covered important issues like cybersecurity risk management, supply chain cybersecurity, cybersecurity metrics, privacy, and emerging technologies--which overlap nicely with NIST’s cybersecurity and privacy program priority areas. The comments will inform improvements to the CSF, as well as guide our efforts under the National Initiative for Improving Cybersecurity in Supply Chains (NIICS), our recently launched public-private partnership to build on our efforts in supply chain cybersecurity. We encourage you to think about how NIST can address the themes identified in the summary analysis.
Several RFI comments provided substantive and helpful feedback on the CSF and confirmed that NIST should proceed to develop CSF 2.0.
The CSF was intended to be a living document that is refined, improved, and evolves over time to keep pace with technology and threat trends, integrate lessons learned, and move best practice to common practice. While organizations find the CSF currently useful to manage risks, considering evolving threats, technologies, and policies, we believe an update will make it easier for organizations to manage growing risks effectively. Based on the high level of constructive response to the RFI and our listening sessions, we think we will have the support to do so.
When I was asked to lead the CSF program through this 2.0 update process, my initial verbal response was “I don’t want to screw up the Framework.” To which, Kevin Stine, Chief Cybersecurity Advisor and Applied Cybersecurity Division Chief at NIST, replied, “We won’t let you.” Kevin’s reassurance aside, I will seek and rely on stakeholder engagement to ensure that the Framework addresses the dynamic cybersecurity risk management challenges organizations face—and so that it can be used even more widely by organizations of varying sizes and sectors around the world. The statutory authority for the CSF directs NIST to “facilitate and support the development” of the Framework and “coordinate closely and regularly” with stakeholders. With this update, NIST is open to making bigger changes to the Framework than the last version with the goal of a “CSF 2.0” vs. “CSF 1.2” version, but stakeholders will drive the changes, including the extent of changes.
During the comment reviews, it was a pleasure to read about how organizations are using the Framework. The majority of the commenters agreed that the Framework is currently effective as a tool for understanding and managing cybersecurity risks. In addition, it has allowed organizations to improve communication between IT and non-IT audiences, including senior management. Because of this important feedback, we will be cognizant of the need to avoid changes that would limit its widespread use. Therefore, we do not envision significant changes to the CSF structure – the Tiers, the Core, and the Profiles – but you can expect to see modifications throughout the Framework.
There was considerable feedback recommending alterations or additions to the Framework Core to address governance, supply chain security, secure software, and emerging technologies. The RFI specifically asked about whether and how to incorporate supply chain cybersecurity or third-party risk into the CSF, which will be a significant focus for NIST as we proceed with this update. In addition, we expect continued lively discussion on the Tiers and whether they should be used to assess the maturity of an organization’s cybersecurity posture or risk management processes.
Another reason why NIST is looking toward a CSF 2.0 is because of the way we will approach the application of the Framework. We will seek to develop new interactive and machine-readable formats for this resource. Also, to keep the CSF simple and flexible, NIST will improve awareness of how the National Online Information References Program (OLIR) can be used to map the CSF to other NIST and non-NIST cybersecurity frameworks and guidance. Additionally, NIST intends to develop implementation guidance for the Framework to provide organizations more guidance on how to use the CSF, particularly for organizations that are just starting to develop their cybersecurity programs.
I encourage stakeholders to keep engaging in our collaborative process of updating the Framework. Specific ways to engage include:
I am honored to lead the NIST Cybersecurity Framework program, including through this update. I also spend my days advising NIST on cybersecurity, privacy, and artificial intelligence policy and strategy and am active in the development of the NIST AI Risk Management Framework. Prior to joining NIST this fall, I spent more than a decade in staff leadership roles in the U.S. Congress. My years on the Hill taught me to identify commonalities across seemingly disparate positions, identify and understand the core of an issue, and simplify complex issues for all audiences. With this expertise, I plan to enhance the bridges across cybersecurity programs at NIST and hope the Cybersecurity Framework will be an important part of that.
I also am proud to be the first woman to lead the Cybersecurity Framework for NIST. I almost did not single out this little moment in history, but at a time when less than a quarter of the cybersecurity workforce is made up of women, I thought it important to highlight my role and the work of my colleagues. Many of NIST’s technology frameworks are led by women, who will be involved in the CSF update. Given this, I am making a commitment to ensure speakers at NIST Cybersecurity Framework workshops reflect the diversity of the population.
The RFI comments provided substantive feedback toward our cybersecurity and privacy resources. I appreciate the engagement thus far, and I look forward to meeting you during this exciting journey to update the Framework. CSF 2.0, here we go!