Industry Highlights NIST Cybersecurity Framework’s Value as NIST Weighs a Potential Update | Wiley Rein LLP
Privacy in focus®
Public comments on an ongoing cybersecurity procedure at the National Institute of Standards and Technology (NIST) highlight the usefulness of a key cybersecurity document while offering suggestions for its improvement. NIST has begun evaluating the 130 comments it has received in response to its request for information (RFI) related to the evaluation and improvement of its flagship cybersecurity guidance document, the Framework for Improvement. Critical Infrastructure Cybersecurity (CSF). NIST is trying to determine if and how to upgrade CSF, which is widely used worldwide by organizations of all sizes. RFI also called for comments on NIST’s National Supply Chain Cybersecurity Improvement Initiative (NIICS), a new public-private partnership that will try to address supply chain risk management issues. of cybersecurity (C-SCRM), as well as other NIST C-SCRM efforts. .
Commentator and consensus
The record reflects a diverse group of participants, including trade associations, industry coalitions, individual companies, standard organizations, and security providers. Several federal agencies also submitted comments, including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Aviation Administration (FAA), and the U.S. Department of Energy.
The registry reflects a general consensus that the CSF is highly trusted and that significant changes would impair its usability and longevity. Many organizations talked about the usefulness of the CSF as a flexible, voluntary, risk-based document that can be applied in a variety of different use cases. In fact, it is critical that companies pay attention to the CSF’s voluntary, consensus-based approach to cybersecurity, as the federal government pursues new regulatory approaches to addressing cybersecurity risks.
Beyond the general agreement on the usefulness of the CSF, the record reflects a wide range of suggestions, both to improve the CSF and to guide the NIICS. Several commenters sought specific changes to the CSF. For example, several communications and technology trade associations recommended that NIST update the information references it provides in its information reference catalog and map the CSF with additional frameworks, regulations, and standards. With regard to NIICS, many commentators recommended that NIST coordinate and harmonize its C-SCRM efforts with other ongoing C-SCRM federal initiatives.
Some commentators sought broader changes to the CSF. For example, some commenters looked for significant changes to the C-SCRM part of the CSF, including changes to CSF categories and subcategories. However, many of the commenters who addressed C-SCRM discouraged NIST from building a new C-SCRM framework separate from the CSF. Several individual companies and security providers suggested incorporating more metrics into the CSF, while others recommended adding more privacy and data protection elements to the CSF.
NIST plans to hold additional workshops to gain more insights into possible changes to the CSF. It is likely that NIST will also publish public drafts of the updated CSF, which would provide additional opportunities for the public to comment.