Six months after release of the Framework for Improving Critical Infrastructure Cybersecurity (Framework), on August 21 the National Institute of Standards and Technology (NIST) put forward a draft Request For Information (RFI) to learn more about experiences with and effectiveness of the Framework. Through the RFI process, NIST seeks to better understand how organizations in all critical infrastructure sectors are approaching and making specific use of the Framework. Responses to the RFI are expected to shape the agenda for NIST’s 6th Cybersecurity Framework Workshop, its first following the Framework’s release.

In the RFI, NIST seeks to understand public awareness of the Framework, and asks whether the Framework has gained the traction needed to be a factor in how organizations manage cyber risks. NIST also inquires about implementation of the Framework, the benefits and challenges to adoption, and whether some sectors require additional sector-specific guidance prior to use. Overall, the RFI includes nineteen specific questions covering the major areas for which NIST seeks public comment, although NIST welcomes broader comments on the “degree of awareness and voluntary use and subsequent improvement of the Framework.”

The RFI presents another important opportunity for industry to shape the Framework’s direction and guide its development. Whether an organization decides to use the Framework, organizations can expect to see the Framework’s structure and approach to influence cybersecurity-related expectations in board rooms and among policymakers.

The RFI is expected to appear in the Federal Register next week. Upon publication, organizations will have forty-five days to file comments. NIST seeks comments from all critical infrastructure sectors, but also invites submissions from other audiences, including standard-setting organizations, solution providers, other members of industry, and consumers.

Jared Bomberg