Saturday, January 16, 2016

Responses to Latest CSF RFI – 01-16-16

This is part of an on-going look at the responses to the National Institute of Standards and Technology (NIST) latest request for information (RFI) on potential updates to the Cybersecurity Framework (CSF). A reminder, the comment period will remain open until February 9th, 2016. The previous posts in this series include:

As of this morning there are only two new responses posted to the RFI Response site. They come from:

Prevent Duplication of Regulatory Processes

NIST question 9 asks:

“What steps should be taken to “prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes” as required by the Cybersecurity Enhancement Act of 2014?”

Not addressed by either commenter.

Should CSF be Updated?

NIST question 10 asks:

“Should the Framework be updated?”

One of the commenters noted that the use of the CSF should be expanded to all small and medium businesses, even those not specifically considered ‘critical infrastructure’.

Private Sector Involvement

NIST question 20 asks:

“What should be the private sector’s involvement in the future governance of the Framework?”

Not addressed by either commenter.


Both responses posted today were remarkably non-contributory to the intended discussion. With the comment period over half-way completed the number of responses has been underwhelming to say the least, but that is fairly typical of the response process. The response rate should increase significantly as the deadline approaches. It takes time for organizations to develop their official responses.

No comments:

/* Use this with templates/template-twocol.html */