Cybersecurity guidance

NIST Seeks Feedback on Proposed Changes to Cybersecurity Framework

The Department of Commerce’s National Institute of Standards and Technology is requesting public feedback on its proposed revisions to the Cybersecurity Framework.

NIST’s CSF is a voluntary framework that includes standards, guidelines and best practices for managing cybersecurity risks.

The request for information is focused on three categories: changes to the framework itself, alignment of the CSF with other cybersecurity resources and guidance managing supply chain cybersecurity, NIST said Tuesday.

Regarding the potential changes to the CSF, NIST said it wants to better understand how the framework is being used currently, what areas could be improved and what challenges organizations face in fully implementing its recommendations.

NIST noted that the CSF has been downloaded more than 1.6 million times and translated into at least six other languages since it was published in 2014.

The agency added that it is exploring how the CSF can be better aligned with other documents such as the National Initiative for Cybersecurity Education Framework and other guidance.

NIST is also seeking information that can help the newly established National Initiative for Improving Cybersecurity in Supply Chains identify cybersecurity-related challenges in supply chain security.

Feedback will help NIST decide whether it should create a separate framework dedicated to addressing supply chain cybersecurity.

Kevin Stine, chief cybersecurity adviser at NIST, said that the agency issued the RFI as part of a planned update and was not sparked by a single driving issue.

Commerce Deputy Secretary Don Graves added that the government wants to increase the framework’s usefulness and adoption, particularly among small businesses.

Responses to the RFI are due April 25.