This is part of an on-going look at the responses
to the National Institute of Standards and Technology (NIST) latest
request for information (RFI) on potential updates to the Cybersecurity
Framework (CSF). A reminder, the comment period will remain open until February
9th, 2016. The previous posts in this series include:
As of this morning there are only one new response posted to
the RFI Response site. They come from:
Prevent Duplication
of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to “prevent duplication of
regulatory processes and prevent conflict with or superseding of regulatory
requirements, mandatory standards, and related processes” as required by the
Cybersecurity Enhancement Act of 2014?”
Danilo noted that existing duplications and inconsistent
policies across agencies resulted from “lack of collaboration and coordination
across agencies”. This could be prevented by continuing NIST process.
Should CSF be
Updated?
NIST question 10 asks:
“Should the Framework be updated?”
Not addressed in this response.
Private Sector
Involvement
NIST question 20 asks:
“What should be the private sector’s involvement in the
future governance of the Framework?”
Not addressed by this commenter.
Commentary
The response today continues the unresponsive nature of the
contributions to date. While the comments certainly have merit, they continue
to ignore the basic questions posed by NIST in regards to future actions to
improve the CSF.
With just a little over two weeks left in the comment
period, it is very disappointing to see only six comments submitted to date.
Hopefully we will begin seeing responses from corporate America next week.
Posts
No comments:
Post a Comment