Cybersecurity Framework - Framework Development
Background - NIST Responsibilities
NIST has developed the voluntary Framework in a manner consistent with its mission to promote U.S. innovation and industrial competitiveness. The Framework has been developed and promoted through ongoing engagement with, and input from, stakeholders in government, industry, and academia. That includes an open public review and comment process, workshops and other means of engagement. To develop the Framework, over the course of a year, NIST used a Request for Information (RFI) as well as extensive outreach and five workshops around the country to: (i) identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities; (ii) specify high-priority gaps for which new or revised standards are needed; and (iii) collaboratively develop action plans by which these gaps can be addressed. The Framework seeks to promote wide adoption of practices to increase cybersecurity across all sectors and industry types. It seeks to provide owners and operators a flexible, repeatable and cost effective risk-based approach to implementing security practices while allowing organizations to express requirements to multiple authorities and regulators.
As part of its ongoing stakeholder engagement, NIST has issued several other Requests for Information and held four additional workshops to understand how the Framework is being used and how it might be improved and updated. The most recent workshop took place April 6-7, 2016, with approximately 800 participants. NIST is now considering input from that workshop and the results of a December 11, 2015, RFI, as it decides on minor Framework updates. NIST will again engage stakeholders through a public process on any future updates.