Utilities and other critical infrastructure continue to be targets for cybercriminals, while cyber-espionage is ramping up for businesses in the private sector. Amid this mileu, six months ago, the National Institute of Standards and Technology (NIST) released version 1.0 of its voluntary Framework for Improving Critical Infrastructure Cybersecurity, a methodical approach meant for organizations of all types to use to create, guide, assess or improve their cybersecurity plans. The framework was developed with industry in a collaborative and open process over the course of a year, as directed by President Obama in Executive Order 13636. NIST is now seeking public feedback on the framework.
Over the past six months, NIST has worked closely with industry groups, associations, non-profits, government agencies and international standards bodies to strengthen awareness of the framework and to promote its use as a basic, flexible and adaptable tool for managing and reducing cybersecurity risks.
Now, NIST has posted to its Cybersecurity Framework website a preview version of a request for information (RFI) it intends to announce in an upcoming issue of the Federal Register. The goal of the RFI is to gain understanding of organizations' awareness of and experiences with the framework.
"We've seen organizations approach the framework in different ways," said Adam Sedgewick, senior policy analyst for NIST, in a statement. "Some are using it to start conversations within their organizations or across their sectors, others to create detailed cyber-risk management plans. We want to hear from all stakeholders to understand how they've used the framework, how it's been helpful, and where challenges may lie."
Responses to the RFI will affect NIST's planning and decisions about possible tools and resources to help organizations use the framework more effectively and efficiently.
All responses will be posted on the framework website after the comment period closes, 45 days after the RFI is published in the Federal Register. NIST said that it is especially interested in comments that will help to determine the framework's usefulness and applicability throughout industry, but input from all organizations is encouraged.