On December 10, 2015, the National Institute of Standards and Technology (NIST) issued a Request for Information (RFI) seeking input on existing uses of, and potential changes to, the voluntary Framework for Improving Critical Infrastructure Cybersecurity (Framework). The Framework, which was released in February 2014 following a year-long process involving stakeholders and government representatives, provides standards and guidance to help private and public organizations undertake cybersecurity risk management.
In the RFI, NIST has requested comment on the following issues:
- the variety of ways in which the Framework is being used to improve cybersecurity risk management,
- how best practices for using the Framework are being shared,
- the relative value of different parts of the Framework,
- the possible need for an update of the Framework, and
- options for the long-term management of the Framework.7
NIST states that the feedback will inform “planning and decision-making about how to further advance the Framework” and will be used in the development of an agenda for a workshop on the Framework, which is expected to take place at NIST’s campus in Gaithersburg, Maryland on April 6-7, 2016.8 The deadline for submission of comments in response to the RFI is February 9, 2015.