May 16, 2017–As the National Institute of Standards and Technology prepares to update its cybersecurity framework, the effort is winning new attention after President Trump issued an executive order (EO) requiring federal agencies to adhere to the framework. The EO, issued last week, is the first “explicit acknowledgment” from the new administration that the framework would play a role in the security of federal networks, said Matthew Barrett, NIST’s cybersecurity framework program manager, at the opening of a workshop today to discuss proposed changes to the framework.
The EO requires the heads of all civilian federal agencies to report within 90 days to the Department of Homeland Security and Office of Management and Budget on their adherence to the framework (TRDaily, May 11).
NIST has already issued guidance to federal agencies on how they could adopt the framework, Mr. Barrett said. “By seamlessly integrating the cybersecurity framework and key NIST cybersecurity risk management standards and guidelines already in wide use at various organizational levels, agencies can develop, implement, and continuously improve agency-wide cybersecurity risk management processes,” the guidance says.
Originally developed to help critical infrastructure entities improve their cyber defenses, the framework was ordered by an earlier EO issued in 2013 by the Obama administration. In 2014, Congress adopted, and the president signed into law, the Cybersecurity Enhancement Act, which codified NIST’s responsibility for maintaining the framework.
That maintenance includes periodic updates, such as the one now underway. NIST recently received stakeholder comments on ways it could improve the framework, and the suggested changes included renaming the document to eliminate its focus on critical infrastructure (TRDaily, April 11).
“Framing this document more broadly could lead to wider adoption among small businesses and organizations in the United States and abroad,” NIST said in a summary of comments it received. “The use and value of the framework stretches beyond critical infrastructure owners and operators.” That and other issues will be discussed at this week’s two-day workshop. —Tom Leithauser, email@example.com