*Feb. 9, 2016, update: The deadline for this RFI has been extended to Feb. 23, 2016.
The National Institute of Standards and Technology (NIST) is seeking information on how its voluntary "Framework for Improving Critical Infrastructure Cybersecurity" is being used, as well as feedback on possible changes to the Framework and its future management.
A preview copy of the Request for Information (RFI) was posted to the Federal Register today. The comment period opens tomorrow, Friday, Dec. 11, 2015, and closes Feb. 9, 2016.
Developed in response to a 2013 Executive Order, the Framework consists of standards, guidelines and practices that help organizations address cyber risks by aligning policy, business and technological approaches.
"The process to develop the Framework brought together both private and public sector organizations and resulted in a document that is being used by a wide variety of organizations," said Adam Sedgewick, NIST senior information technology policy advisor. "We're looking forward to receiving feedback on specific questions about its use and how it might be improved."
The Framework was released in February 2014, after a year-long, open process that included input from industry, academia and government agencies at the federal and state levels. An increasing number of organizations that are part of the nation's critical infrastructure, including the energy and financial sectors, as well as other private and public organizations, have been using the Framework to improve their management of cyber risks.
To fulfill its responsibilities under the Cyber Security Enhancement Act of 2014, NIST is committed to maintaining an inclusive approach that incorporates the views of a wide array of individuals, organizations and sectors.
In the RFI, NIST asks specific questions about:
- the variety of ways in which the Framework is being used to improve cybersecurity risk management,
- how best practices for using the Framework are being shared,
- the relative value of different parts of the Framework,
- the possible need for an update of the Framework, and
- options for the long-term management of the Framework.
Responses to this RFI—which will be posted publicly—will inform NIST's planning and decision-making about how to further advance the Framework so that the nation's critical infrastructure is more secure and resilient. For more information and a form for submitting comments on the RFI, visit the Framework website.
Feedback gathered from the RFI also will assist in developing the agenda for a workshop on the Framework being planned for April 6 and 7, 2016, at NIST's Gaithersburg, Md., campus. Specifics about the workshop will be announced at a later date.