NIST Requests Comments on How to Improve its Cybersecurity Framework
Share this article on:
The National Institute of Standards and Technology (NIST) is seeking feedback on the usefulness of its Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and suggestions on any improvements that can be made.
The NIST Cybersecurity Framework was released in 2014 to help public and private sector organizations implement cybersecurity standards and best practices to improve their cybersecurity posture, better defend against cyber threats, and quickly identify and respond to cyberattacks in progress to limit the harm that can be caused. The NIST Cybersecurity Framework is considered the gold standard for cyber threat management; however, that does not mean improvements could not be made.
The last update to the Cybersecurity Framework occurred in April 2018 and the past four years have seen considerable changes to the cybersecurity threat landscape. New threats have emerged, the tactics, techniques, and procedures used by cyber threat actors have changed, there are new technologies and security capabilities, and more resources are available to help with the management of cybersecurity risk. NIST is not considering updating its Framework again to take these factors into account.
The NIST Cybersecurity Framework has been adopted by many healthcare organizations to improve cybersecurity, but some healthcare organizations have faced challenges implementing the Framework and currently fewer than half of healthcare organizations are adhering to NIST standards. NIST wants to learn about the challenges organizations have faced implementing the Framework and the commonalities and conflicts with other non-NIST frameworks and approaches that are used in conjunction with the NIST Cybersecurity Framework. There may be ways of improving alignment or integration of those approaches with the NIST Cybersecurity Framework. NIST wants suggestions on changes that could be made to the features of the Framework, features that should be added or removed, and any other ways that NIST could improve the Framework to make it more useful.
In addition to feedback on the Cybersecurity Framework, NIST has requested comments on possible improvements to other NIST guidance and standards, including its guidance on improving supply chain cybersecurity. NIST recently announced that it would launch the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to address cybersecurity risks in supply chains. NIST has requested comments on challenges related to the cybersecurity aspects of supply chain risk management that could be addressed by the NIICS, and whether there are currently gaps in existing cybersecurity supply chain risk management guidance and resources, including the application of those resources to information and communications technology, operational technology, IoT, and industrial IoT.
NIST has requested all comments be submitted by April 25, 2022.
Gloss