On December 5, the National Institute of Standards and Technology (NIST) issued an update regarding its Framework for Improving Critical Infrastructure Cybersecurity (Framework).  Since its release in February 2014, the Framework has become an important benchmark for corporate cybersecurity programs.  NIST’s update addresses industry input received from an October workshop and an August Request for Information.  It also describes NIST’s plans to support future use of the Framework.

NIST’s update makes several observations regarding how organizations are currently using the Framework.  Notably, NIST recognized that the Tiers “appear to be the least-used part of the Framework” and that additional guidance may be needed on the appropriate use of tiers.  In addition, NIST noted the continued interest expressed by industry in expanded information-sharing activities and highlighted its release of draft Special Publication (SP) 800-150.  Published in October 2014, draft SP 800-150 offers entities guidance on the safe and effective sharing of cyber threat information in support of incident response.  NIST also acknowledged stakeholder calls for global policy and enforcement alignment and the need for greater visibility of the Framework to avoid confusion and “conflicting expectations in the global business environment.”

NIST also expressed sensitivity to concerns about the Framework’s uncertain regulatory implications and acknowledged industry desire for additional guidance on use of the Framework.  To that end, NIST indicated its intent to provide guidance on the appropriate use of the Framework, including actual or exemplary illustrations, as well as guidance tailored to specific sectors including smaller enterprises.

NIST does not anticipate updating the Framework itself within the next year, in light of “widespread agreement among participants that it is too early to update the Framework and that more time is needed to understand and use the current version.”  For now, NIST’s priority will be “to develop and disseminate information and training materials that advance use of the Framework.”  In furtherance of that goal, NIST intends to pursue the following initiatives:

  • develop material on aligning the Framework with business processes, including integrating cybersecurity risk management with broader enterprise risk management;
  • partner with other organizations to help raise awareness about the Framework;
  • explore options for hosting publicly available Framework reference materials; and
  • continue hosting workshops, webinars, and similar meetings on the Framework to bring in additional stakeholders.

Moving forward, corporate boards and management are likely to see the Framework continue to be cited as a resource for those involved in the design, operations, and oversight of cybersecurity risk management efforts, including preparation for a cybersecurity breach.

Donald DePass, an associate in our Washington, D.C. office, contributed to this entry.