NIST Framework Update – 06-09-16

This week the National Institute of Standards and Technology (NIST) published a document summarizing the results of the workshop that they held in April on the future of the Cybersecurity Framework (CSF). The document summarizes the views expressed by workshop participants and outlines the continuing steps that NIST intends to undertake in support of the CSF.

There were seven major topic areas covered in the document with two receiving detailed discussion. The seven topics were:

• Background;

• Cybersecurity Framework Use;

• Evolution and Maintenance;

• “Best Practice” Sharing;

• Roadmap for Improving Cybersecurity;

• Update; and

• Next Steps

The first area that included a more detailed discussion was the Roadmap. Topics discussed included:

• Authentication;

• Automated Indicator Sharing;

• Assessment and Confidence Mechanisms;

• Cybersecurity Workforce;

• Federal Alignment;

• International Aspects, Impacts, and Alignment;

• Supply Chain Risk Management; and

• Technical Privacy Standards

As expected the final area to receive detailed attention was the ‘Next Steps’ portion of the document. This was divided into two sections; NIST Actions and Recommended Stakeholder Actions. The later included discussions on:

• Customizing the Framework for your sector or community;

• Publishing a sector or community Profile or relevant “crosswalk.”;

• Advocating for the Framework throughout your sector or community, with related sectors and communities;

• Publishing “summaries of use” or case studies of your Framework implementation; and

• Sharing your Framework resources with NIST.

There is no time table mentioned in the document for updating the CSF, but it is being reported (here and here) that NIST is expecting to publish an update next year. If past history is any guidance, I would expect NIST to hold a series of future workshops during the development process.