Public comments on updating the National Institute of Standards and Technology’s (NIST), the Framework for Improving Critical Infrastructure Cybersecurity (CSF), highlight private and public sector interest in this core foundational guidance document. NIST is now adjudicating the 130 comments it received in response to its Request for Information (RFI) related to a potential update to the CSF. The RFI also sought comment on NIST’s National Initiative for Improving Cybersecurity in Supply Chains (NIICS)—a new public-private partnership that will seek to address cybersecurity supply chain risk management (C-SCRM) issues—as well NIST’s other C-SCRM efforts.
A diverse group of organizations participated in this proceeding, including trade associations, industry coalitions, individual companies, standards organizations, security vendors, and federal agencies such as the Cybersecurity and Infrastructure Security Agency, the Federal Aviation Administration, and the U.S. Department of Energy. The comments provide a window into stakeholders’ concerns and the issues NIST will be addressing as it moves forward.
Many commenters discussed the CSF’s utility as a flexible, voluntary, and risk-based document that can be applied in any number of use cases. To that end, the record reflects a general agreement that the CSF is relied upon heavily and that significant changes would be disruptive to its usability and longevity. Numerous organizations provided details on the ways in which they implement the CSF to improve their security posture.
Although the record demonstrates general agreement on the CSF’s utility, commenters did seek various changes to the CSF. Several communications and technology trade associations sought targeted changes, such as updating the Informative References that NIST provides on its Informative Reference Catalog and mapping the CSF to additional frameworks, regulations, and standards. Certain individual companies, as well as a few information technology trade associations, recommended that NIST provide more clarity around its Implementation Tiers, which are intended to provide context on how an organization views cybersecurity risk and its processes to manage that risk.
A smaller group of commenters sought more substantial changes to the CSF. For example, a few commenters sought significant changes to the CSF’s treatment of C-SCRM, including changes to the CSF’s Categories and Subcategories. However, many of the commenters that addressed C-SCRM discouraged NIST from building a new C-SCRM framework that is separate from the CSF. Other commenters, including organizations from the financial sector, asked for NIST to add a Governance function to the CSF to make it more comprehensive. Additionally, a couple of federal agencies asked NIST to incorporate zero trust concepts into the CSF.
NIST plans to hold additional workshops to gain further perspectives on potential changes to the CSF. It is likely that NIST will also release public drafts of the updated CSF, which would provide additional opportunities for organizations to provide feedback. Private companies should strongly consider participating in this proceeding to ensure that NIST considers their equities and interests when revising this foundational cybersecurity document.
[View source.]