Industry Highlights Value of NIST Cybersecurity Framework as NIST Considers Potential Update | Wiley Kidney LLP
Privacy in brief®
Public feedback in an ongoing cybersecurity proceeding at the National Institute of Standards and Technology (NIST) underscores the usefulness of a foundational cybersecurity document while providing suggestions for its improvement. NIST has begun evaluating the 130 comments it received in response to its Request for Information (RFI) regarding the evaluation and improvement of its flagship cybersecurity guidance document, the Framework for Improving Critical Infrastructure Cybersecurity (CSF). NIST is investigating whether and how to update the CSF, which is widely used worldwide by organizations of all sizes. RFI also sought feedback on NIST’s National Initiative for Improving Cybersecurity in Supply Chains (NIICS) – a new public-private partnership that will seek to address supply chain risk management issues. Cybersecurity Procurement (C-SCRM) – as well as NIST’s other C-SCRM efforts. .
Commentators and consensus
The brief reflects a diverse group of participants, including trade associations, industry coalitions, individual companies, standards bodies and security vendors. Several federal agencies also submitted comments, including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Aviation Administration (FAA), and the US Department of Energy.
The brief reflects a general consensus that the CSF is heavily used and that significant changes would disrupt its usability and longevity. Many organizations have discussed the usefulness of the CSF as a flexible, voluntary, and risk-based document that can be applied in a variety of different use cases. Indeed, it is critical that businesses pay heed to the CSF’s consensus-based and voluntary approach to cybersecurity as the federal government pursues new regulatory approaches to address cybersecurity risks.
Beyond general agreement on the usefulness of the CSF, the brief reflects a wide range of suggestions, both for improving the CSF and for guiding NIICS. Several commentators called for targeted changes to the CSF. For example, several communications and technology trade associations have recommended that NIST update the informative references it provides on its informative reference catalog and map the CSF to additional frameworks, regulations, and standards. With respect to NIICS, many commentators have recommended that NIST coordinate and harmonize its C-SCRM efforts with other ongoing federal C-SCRM initiatives.
Some commentators have called for bigger changes to the CSF. For example, a few commenters requested significant changes to the C-SCRM part of the CSF, including changes to the categories and subcategories of the CSF. However, many commentators who have addressed C-SCRM have discouraged NIST from constructing a new C-SCRM framework separate from CSF. Several individual companies and security vendors suggested incorporating more measures into the CSF, while others recommended adding more privacy and data protection elements to the CSF.
NIST plans to hold additional workshops to get new insights into potential changes to the CSF. It is likely that NIST will also release public versions of the updated CSF, which will provide additional opportunities for the public to provide feedback.