NIST Seeking Input to Update Cybersecurity Framework
Cybersecurity is a constantly changing landscape, and as a result, the National Institute of Standards and Technology (NIST) needs to evolve to remain effective. Before they start their next round of updates, NIST is seeking public information that will improve the effectiveness of its cybersecurity framework (CSF). They are also asking for suggestions to inform cybersecurity guidance related to supply chain risks.
Upcoming Changes
NIST’s CSF was released in 2014, and this will only be the second time it has been updated, with the first update was in 2018. High-ranking executives have stated that there is no single driving issue that is leading to updates. Instead, they are looking to make changes pre-emptively so that they do not experience security issues in the future.
What Is NIST Requesting?
NIST is requesting information from the public in three key areas: the CSF, other NIST resources, and supply chains.
The CSF
NIST wants to better understand how the CSF is being used today. They want to know what is working and what is not. They hope that feedback can help them figure out which areas need improvement and what structural changes to the CSF could be beneficial. Additionally, they want to hear suggestions on what should be modified or added. They also want to know if any challenges have prevented some organizations from using the CSF effectively.
Other NIST Resources
NIST is also interested in exploring better ways to align the CSF with other NIST guidance, such as the Software Development Framework, Privacy Framework, and Risk Management Framework. They want businesses to tell them which tools are complementary and what could be added to help them work together more effectively.
Supply Chains
NIST recently launched a private program called the National Initiative for Improving Cybersecurity in Supply Chains to help address supply chain cybersecurity risks. Now, NIST is requesting information to help them identify supply chain security risks. They want to know what practices organizations use to manage their supply chain cybersecurity risks. The goal is to use that information to update their framework to help supply chain cybersecurity going forward.
By: Alex O’Reilly