The National Institute of Standards and Technology (NIST) has posted an initial analysis of hundreds of comments submitted by industry and the public related to the President's "Improving Critical Infrastructure Cybersecurity" Executive Order, issued Feb. 12, 2013. NIST is making this initial analysis available as a status update and to help provide background for a workshop later this month to discuss the cybersecurity framework.
The Executive Order calls for NIST to work with industry to develop a voluntary framework to reduce cybersecurity risks to the nation's critical infrastructure, which includes power, water, communication and other critical systems. The first step toward drafting the framework was soliciting information on current risk management policies, existing standards and guidelines, and specific industry practices from stakeholders through a Request for Information (RFI). These comments were due April 8, 2013. NIST received more than 200 responses and posted them publicly.*
NIST's approach to analyzing the input from the RFI, as well as identification of the common cybersecurity framework themes that emerged as a result of the analysis, is described in the paper, Initial Analysis of Cybersecurity Framework RFI Responses. In addition to identifying and describing the common themes, this paper provides questions for stakeholders to consider.
The paper can be found at http://csrc.nist.gov/cyberframework/nist-initial-analysis-of-rfi-responses.pdf, and additional information about the cybersecurity critical infrastructure framework project is available at the Cybersecurity Framework website. Information on the 2nd Cybersecurity Framework Workshop, May 29-31, 2013, at Carnegie Mellon University is available online.