This online learning module provides readers with insight into how NIST plans to maintain the Framework for Improving Critical Infrastructure Cybersecurity ("The Framework"). This online learning module builds on the History and Creation of the Framework by describing how lessons learned from developing the Framework and preparing for the release of Version 1.1 led to the Framework update process.
NIST routinely engages industry through three primary activities. First, NIST continually and regularly engages in community outreach activities by attending and participating in meetings, events, and roundtable dialogs. Second, NIST solicits direct feedback from industry through requests for information (RFI), requests for comments (RFC), and through the NIST Framework team’s email (firstname.lastname@example.org). Finally, NIST observes and monitors relevant resources and references - including descriptions of Framework use - published by government, academia, and industry.
As described in Figure 1, below, NIST catalogs all comments and feature enhancements received on the Framework in a Features List. NIST then categorizes all comments and feature enhancement suggestions on the Features Lists as either Major, Minor, or Administrative comments based on the degree to which implementing the change would impact compatibility with prior versions of the Framework. The features are also prioritized based on their perceived importance to stakeholders.
Figure 1. Features List
The Framework is a living document and is intended to be updated based on industry feedback and recommendations as well as NIST’s continued goal to inform the community. The Features List aides NIST in properly tracking, adjudicating, and incorporate comments into updates as appropriate.
Update Process Flow
The Framework update process integrates the NIST Cybersecurity Risk Management Conference into a public-private dialog that asks stakeholders every three years:
- Is it an appropriate time for an update, and if so
- What would you like to see in that update (Figure 2)?
Stakeholder input helps NIST determine whether an update is warranted and what type of update is needed (major, minor, administrative).
Figure 2. Update Process Flow
If NIST learns that industry is not prepared for a new update, or sufficient features have not been identified to warrant an update, NIST continues to collect comments and suggestions for feature enhancement, bringing those topics to the annual Cybersecurity Risk Management Conference for discussion, until such a time that an update is warranted
If the Framework stakeholders believe an update is needed, NIST discerns the type of update required and creates a Draft Framework Update. The Draft Framework Update is published before the annual Cybersecurity Risk Management conference. During the conference, NIST establishes tracks to allow conference participants an opportunity comment on the proposed draft.
With stakeholder disposition understood from the most recent conference, NIST then publishes a final version of the Framework. This process repeats over time to refine, clarify, and enhance the Framework.
For additional details regarding the evolution of the Framework see The Evolution of the Framework.