To keep pace with the always evolving cybersecurity landscape, the United States’ National Institute of Standards and Technology (NIST) is planning to revise the widely adopted NIST Cybersecurity Framework (CSF). In advance of the update, NIST is asking the public for information that would improve the effectiveness of the CSF and its alignment with other cybersecurity resources. The agency is also requesting suggestions to inform cybersecurity guidance related to supply chain risks.
“Every organization needs to manage cybersecurity risk as a part of doing business, whether it is in industry, government or academia,” says Don Graves, Deputy Secretary of Commerce. “It is critical to their resilience and to our nation’s economic security. There are many tools available to help, and the CSF is one of the leading frameworks for private sector cybersecurity maintenance. We want private and public sector organizations to help make it even more useful and widely used, including by small companies.”
This marks the second time that NIST will update the CSF, formally known as the Framework for Improving Critical Infrastructure Cybersecurity, which it initially released in 2014 after extensive public involvement and collaboration. Since then, the CSF has been downloaded more than 1.6 million times and has been adopted internationally, with translations into at least six other languages.
NIST first updated the CSF in 2018. “There is no single issue driving this change,” says Kevin Stine, chief cybersecurity advisor at NIST. “This is a planned update to keep the CSF current and ensure that it is aligned with other tools that are commonly used.”
To inform the revision, NIST is requesting public input that falls into three main categories: changes purely to the CSF itself, relationships and alignment between the CSF and other resources, and ways to improve cybersecurity in supply chains.
Regarding the CSF itself, NIST wants to better understand how it is being used today and to learn what’s working and what’s not. For example, what areas could be improved? Could structural changes to the CSF help? Have any challenges prevented organizations from using the CSF more easily or extensively? Should anything be added or modified based on what we have learned?
Regarding other NIST resources, NIST wants to explore better ways to align the CSF with other NIST guidance, such as the Privacy Framework, Secure Software Development Framework, Risk Management Framework, Workforce Framework for Cybersecurity (also called the NICE Framework), and its series on IoT cybersecurity. NIST also is asking for information about the CSF’s alignment with non-NIST resources. In all cases, NIST wants to know whether these tools are complementary and what would help them work together more effectively.
Regarding supply chains, NIST recently launched a public-private partnership, called the National Initiative for Improving Cybersecurity in Supply Chains (NIICS), to address supply chain cybersecurity risks. NIST is requesting information that will help identify supply-chain-related cybersecurity needs and harmonize the NIICS initiative with the CSF. For example, what are the standards and guidelines that organizations are currently using to manage their cybersecurity supply chain risks? Does NIST need to create a dedicated framework addressing cybersecurity supply chain risk management, or can this be addressed through greater treatment of supply chain risk in the CSF?
Comments are due by April 25, 2022. Visit the CSF website to view the RFI and for details on how to submit your comments. Responses to this RFI will inform possible revisions of the CSF as well as the NIICS initiative. Send general questions about this RFI to CSF-SCRM-RFI@nist.gov.