Six months ago, the National Institute of Standards and Technology (NIST) released version 1.0 of its voluntary Framework for Improving Critical Infrastructure Cybersecurity, a methodical approach that organizations of all types can use to create, guide, assess or improve their cybersecurity plans. The framework was developed with industry in a collaborative and open process over the course of a year, as directed by President Obama in Executive Order 13636. NIST is now seeking public feedback on the framework.
NIST has posted to its Cybersecurity Framework website a preview version of a request for information (RFI) it intends to announce in an upcoming issue of the Federal Register. The goal of the RFI is to gain understanding of organizations' awareness of and experiences with the framework. NIST is posting the preview to provide organizations additional time to consider the RFI.
Over the past six months, NIST has worked closely with industry groups, associations, non-profits, government agencies and international standards bodies to strengthen awareness of the framework and to promote its use as a basic, flexible and adaptable tool for managing and reducing cybersecurity risks.
"We've seen organizations approach the framework in different ways," said Adam Sedgewick, senior policy analyst for NIST. "Some are using it to start conversations within their organizations or across their sectors, others to create detailed cyber risk management plans. We want to hear from all stakeholders to understand how they've used the framework, how it's been helpful, and where challenges may lie."
Responses to the RFI will affect NIST's planning and decisions about possible tools and resources to help organizations use the framework more effectively and efficiently. They also will inform the Department of Homeland Security's Critical Infrastructure Cyber Community C³ Voluntary Program and frame discussion at the Oct. 29 and 30, 2014, Cybersecurity Framework Workshop, in Tampa, Fla.
All responses will be posted on the framework website after the comment period closes, 45 days after the RFI is published in the Federal Register. NIST is especially interested in comments that will help to determine the framework's usefulness and applicability throughout industry, but input from all organizations is encouraged.
In addition to feedback on the framework itself, the RFI asks for input on its accompanying Roadmap, which outlines issues and challenges that should be addressed in order to improve future versions of the framework.