The Commerce Department’s National Institute of Standards and Technology (NIST) is developing a minor update to its Cybersecurity Framework based on user feedback, with a published draft for comment to be published in early 2017, the agency said Thursday.
The NIST update comes after the agency received over 100 comments in a December 2015 Request for Information (RFI) and an April 2016 workshop that included 800 participants from industry, government, and academia.
In a newly released report, Cybersecurity Framework Feedback: What We Heard and Next Steps, NIST said it plans to review references in the original document, Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework), to ensure they are current and per user requests is also considering clarifying the framework’s implementation Tiers. The tiers are a mechanism for organizations to gauge their approach to managing cybersecurity risk.
The agency may also add guidance for applying the framework for applying the framework for supply chain risk management, NIST said.
NIST originally developed the framework in response to Executive Order 13636 and published it in February 2014. It was designed to provide voluntary cybersecurity guidance to strengthen the security of U.S. critical infrastructure.
“We are working from all of the feedback we’ve received since the framework was published on its use, best practices, outreach, prospective updates and governance,” Matthew Barrett, NIST Cybersecurity Framework program manager, said in a statement.
“The minor updates we have planned for the framework should not disrupt anyone’s ongoing framework use,” he added.
Other actions NIST plans to take in accordance with the stakeholder feedback includes publishing a governance process to outline the process of framework maintenance and evolution and also defines the role of stakeholders and how they will work together in the future; remain as convener of framework stakeholders; and continue framework outreach and focus also on international, small, and medium-sized businesses and regulators.
NIST is also developing a tool to help organizations assess their cybersecurity risk management process, the Cybersecurity Excellence Builder. It will be based on the framework and main concepts from the NIST-developed Baldrige Performance Excellence Program.