Today the National Institute for Standards and Technology (NIST) published a request for information (RFI) in the Federal Register (80 FR 76934-76936) seeking information on the “Framework for Improving Critical Infrastructure Cybersecurity” (Cybersecurity Framework – CSF). This is part of an on-going effort by NIST to improve the efficacy and employment of the CSF.
According to the RFI the CSF consists of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. It was published in February 2014 after a publicly inclusive process in a series of meetings and workshops over the period of a year. A subsequent RFI was published in August of 2014 to gauge how the CSF was being put into use by the private sector.
In today’s RFI NIST is seeking specific information about the variety of ways in which the Framework is being used and the relative value of different parts of the Framework, the possible need for an update of the Framework, how best practices for using the Framework are being shared and might be enhanced, and the long-term governance of Framework. Specifically, NIST is looking for information regarding:
• Use of the CSF (9 specific questions);
• Possible CSF updates (6 specific questions);
• Sharing information using the CSF (4 specific questions); and
• Private sector involvement in the future governance of the CSF (6 specific questions)
NIST continues to use their own internal comment submission process rather than using the Federal eRulemaking Portal. NIST requests that users use their EXCEL® based template for submitting comments. This has proven a very successful technique that allows NIST to turn around the processing and cataloging of large numbers of comments in a very short time. Comments may be submitted via email to firstname.lastname@example.org. NIST is requesting that comments be submitted by February 9th, 2016.