Industry Urges NIST to Preserve Key Attributes in Updating its Cybersecurity Framework

Public comments on updating the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF) highlight private and public sector interest in this core foundational guidance document.   NIST is now adjudicating the 130 comments it received in response to its Request for Information (RFI)  related to a potential update to the CSF.  The RFI also sought comment on NIST’s National Initiative for Improving Cybersecurity in Supply Chains (NIICS)—a new public-private partnership that will seek to address cybersecurity supply chain risk management (C-SCRM) issues—as well NIST’s other C-SCRM efforts. 

A diverse group of organizations participated in this proceeding, including trade associations, industry coalitions, individual companies, standards organizations, security vendors, and federal agencies such as the Cybersecurity and Infrastructure Security Agency, the Federal Aviation Administration, and the U.S. Department of Energy.  The comments provide a window into stakeholders’ concerns and the issues NIST will be addressing as it moves forward.

Many commenters discussed the CSF’s utility as a flexible, voluntary, and risk-based document that can be applied in any number of use cases.  To that end, the record reflects a general agreement that the CSF is relied upon heavily and that significant changes would be disruptive to its usability and longevity.  Numerous organizations provided details on the ways in which they implement the CSF to improve their security posture.

Although the record demonstrates general agreement on the CSF’s utility, commenters did seek various changes to the CSF.  Several communications and technology trade associations sought targeted changes, such as updating the Informative References that NIST provides on its Informative Reference Catalog and mapping the CSF to additional frameworks, regulations, and standards.  Certain individual companies, as well as a few information technology trade associations, recommended that NIST provide more clarity around its Implementation Tiers, which are intended to provide context on how an organization views cybersecurity risk and its processes to manage that risk. 

A smaller group of commenters sought more substantial changes to the CSF.  For example, a few commenters sought significant changes to the CSF’s treatment of C-SCRM, including changes to the CSF’s Categories and Subcategories.  However, many of the commenters that addressed C-SCRM discouraged NIST from building a new C-SCRM framework that is separate from the CSF.  Other commenters, including organizations from the financial sector, asked for NIST to add a Governance function to the CSF to make it more comprehensive.  Additionally, a couple of federal agencies asked NIST to incorporate zero trust concepts into the CSF.

NIST plans to hold additional workshops to gain further perspectives on potential changes to the CSF.  It is likely that NIST will also release public drafts of the updated CSF, which would provide additional opportunities for organizations to provide feedback.  Private companies should strongly consider participating in this proceeding to ensure that NIST considers their equities and interests when revising this foundational cybersecurity document.

***

Wiley’s Cyber and Privacy Investigations, Incidents & Enforcement has helped entities of all sizes from various sectors proactively address cybersecurity risks and advocate before government agencies, including NIST, on cybersecurity policy and guidance.  For more information on NIST’s CSF, please reach out to any of the authors.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek