The National Institute of Standards and Technology (NIST) released a Request for Information (RFI), “Experience with the Framework For Improving Critical Infrastructure Cybersecurity”, this week requesting industry feedback on the Cybersecurity Framework published in February 2014. Framework 1.0 was developed by NIST in response to the Obama Administration’s February 2013 Cybersecurity Executive Order aimed at improving cyber defenses for critical industries impacting U.S. national security. The Framework is a series of standards, methodologies, procedures, and processes developed to help organizations address cyber risks.
Since releasing the Framework, NIST has focused its efforts on raising awareness and educating public and private organizations on the importance of managing cyber risks. Now that the Framework has been publicly available for over 6 months, NIST is reaching out to the critical infrastructure community to find out whether organizations are choosing to voluntarily implement the Framework and track progress across the various industries.
Critical infrastructure industries, including communications, transportation, energy, and healthcare companies, are encouraged to weigh in on initial experiences in implementing the Framework, how it is being used, and the successes and challenges of using the Framework to develop cyber programs. While the RFI focuses heavily on responses from critical infrastructure owners and operators, Federal agencies, state, local and tribal governments, and other industry and consumer stakeholders are also invited to comment on any topic that may impact the awareness or voluntary use of the Framework.
The RFI asks the industry to report on a series of questions. Some of the interesting questions include:
- How have organizations learned about the Framework?
- If your sector is regulated, do you think your regulator is aware of the Framework, and do you think it has taken any visible actions reflecting such awareness?
- What benefits have been realized by early experiences with the Framework?
- Have organizations that are using the Framework integrated it with their broader enterprise risk management program?
- Are organizations changing their cybersecurity governance as a result of the Framework?
- What about the Framework is most helpful and why? What is least helpful and why?
From the initial discussions in developing Framework 1.0, NIST has stressed that it is in fact a “process” and that the Framework is expected to be a “living document” that will continue to change and develop as it is used and the cyber landscape changes. The comments will be used as a baseline for discussions at an upcoming workshop, scheduled for Oct. 29-30 at the University of South Florida in Tampa. To that end, the RFI comments highlighting challenges or issues could very well spark discussions for a Framework 2.0.
NIST also stated the responses will impact the Critical Infrastructure Cyber Community C3 Voluntary Program – the DHS incentives program focused on encouraging voluntary adoption of the Framework across industry sectors. Additionally, the RFI may influence the FCC’s cybersecurity policies and CSRIC’s approach to developing cybersecurity best practices for the communications industry (see our earlier blog post for background on the FCC’s cybersecurity policies).
Comments are due October 10, 2014, and companies are encouraged to participate. All responses will be posted and publicly available on NIST’s website.