This is part of an on-going look at the responses to the National Institute of Standards and Technology (NIST) latest request for information (RFI) on potential updates to the Cybersecurity Framework (CSF). A reminder, the comment period will remain open until February 9th, 2016. The previous posts in this series include:
As of this morning there are only one new response posted to the RFI Response site. They come from:
Prevent Duplication of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to “prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes” as required by the Cybersecurity Enhancement Act of 2014?”
Danilo noted that existing duplications and inconsistent policies across agencies resulted from “lack of collaboration and coordination across agencies”. This could be prevented by continuing NIST process.
Should CSF be Updated?
NIST question 10 asks:
“Should the Framework be updated?”
Not addressed in this response.
Private Sector Involvement
NIST question 20 asks:
“What should be the private sector’s involvement in the future governance of the Framework?”
Not addressed by this commenter.
The response today continues the unresponsive nature of the contributions to date. While the comments certainly have merit, they continue to ignore the basic questions posed by NIST in regards to future actions to improve the CSF.
With just a little over two weeks left in the comment period, it is very disappointing to see only six comments submitted to date. Hopefully we will begin seeing responses from corporate America next week.