The National Institute of Standards and Technology today began seeking input on the effectiveness of a cybersecurity framework it issued in 2014 and on the need to update the framework.  “The process to develop the framework brought together both private and public sector organizations and resulted in a document that is being used by a wide variety of organizations,” said Adam Sedgewick, NIST’s senior information technology policy adviser.  “We’re looking forward to receiving feedback on specific questions about its use and how it might be improved.”

The framework was designed to be a flexible document providing voluntary consensus guidelines on network security for critical infrastructure entities.  Its implementation has been led by several private sector trade groups as well as federal regulatory agencies, which were asked to apply the framework to regulated industries without adding new layers of rules.

Its development began with an executive order from President Obama in 2013, but its development and management have since become codified by the adoption of the Cyber Security Enhancement Act of 2014, which requires NIST to consult regularly with stakeholders on any improvements that might be needed.

In a request for information published today, NIST seeks comment on “the variety of ways in which the framework is being used to improve cybersecurity risk management, how best practices for using the framework are being shared, the relative value of different parts of the framework, the possible need for an update of the framework, and options for the long-term governance of the framework.”

Comments are due by Feb. 9, 2016, and NIST plans to hold a workshop April 6-7, 2016, at its Gaithersburg, Md., campus. – Tom Leithauser, tom.leithauser@wolterskluwer.com

Courtesy TRDaily