The National Institute of Standards and Technology (NIST) recently released an update on its Framework for Improving Critical Infrastructure Cybersecurity (The Framework). The Framework was first issued in February 2014 as a voluntary risk-based program to enable owners and operators of U.S. critical infrastructure to assess and remediate their cybersecurity risks. For more detail on The Framework, see our previous blog post, “Trendy “Cybersecurity” Versus Traditional “Information Security” Two Sides of the Same Security Coin,” and article, “The Cybersecurity Framework’s Components,” Privacy and Data Protection 2014 Year in Review at 32-34.
The NIST update provides a summary of feedback concerning industry’s initial use of the Framework. NIST reports that many users have found the Framework helpful in improving communication within and across organizations, assessing risks of current practices, and as a tool to demonstrate alignment with standards, best practices and, in some cases, regulatory requirements.
Certain users expressed concerns about the Framework. Among the critiques offered by industry members are the following: (1) The Tiers appear to be the least-used part of the Framework, likely because of their enterprise-level scope; (2) Examples are needed to demonstrate practical and applied uses of the Framework; (3) Some of the terminology is confusing and needs clarification; (4) Health care providers, other covered entities and business associates need practical and detailed guidance on moving from a HIPAA compliance-only strategy to a focus on being cyber secure; (5) NIST should advise as to how an organization can integrate cybersecurity into budget planning and master planning; and (6) Global alignment is important to avoid confusion and duplication of effort by other governments.
Concerns were raised as to whether regulating agencies or Congress will make the Framework mandatory, transforming it from a voluntary mechanism to a compliance requirement. NIST does not answer industry’s concern that the Framework could become a de facto standard for cybersecurity or may impact legal definitions or enforcement guidelines for cybersecurity. It merely reports that industry concern was expressed.
NIST Action Items
NIST makes clear that it will not be updating the Framework within the next year. It stressed that more time is needed for industry to understand and use the current version of the Framework. Toward that end, it has assigned itself certain action items in response to the industry feedback. To continue to promote use of the Framework, NIST agrees to complete the following tasks:
- Increase efforts to raise awareness of the Framework in the same open and collaborative manner (i.e., working with industry, academia and government at multiple levels) in which the Framework was developed;
- Develop an outreach effort to include small- and medium-sized businesses, state and local governments, and international organizations;
- Develop and disseminate information and training materials that include actual examples of how organizations can employ the Framework in a practical and meaningful manner;
- Develop advice on how to integrate cybersecurity risk management with broader enterprise risk management;
- Explore options for making Framework reference materials available in a common publicly-available repository; and
- Continue to hold workshops, webinars and similar meetings to involve additional stakeholders.
Given NIST’s list of action items, organizations can expect NIST to produce a set of advisory materials and helpful guidance on how to use the Framework to an organization’s advantage. It continues to advocate for a risk management process to deal with cybersecurity risks and for the benefits of using the Framework as a management best practice.
NIST welcomes ongoing feedback via email at firstname.lastname@example.org. It is soliciting input as to how organizations are using the Framework, and requesting specific suggestions for improvement and for possible outreach activities.