Stakeholders Seek Additional Guidance on NIST Cybersecurity Framework, Not Full Update
The National Institute of Standards and Technology (NIST) has “heard very clearly” that it’s still too early to consider a full-fledged Version 2.0 update of the Cybersecurity Framework, said Kevin Stine, Computer Security Division manager-Security Outreach and Integration Group, during a framework development workshop Thursday. Industry stakeholders have told NIST major changes to the framework aren’t a good idea because NIST released the Version 1.0 framework only in February (see 1410140173). A White House official said Wednesday that he believed it was unlikely that major changes would be coming in the near future (see 1410290046). The NIST workshop and comments submitted to the agency have shown there’s “very strong” awareness of the framework in all critical infrastructure sectors but all stakeholders should continue to raise awareness, Stine said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
NIST will continue to discuss a possible governance structure for updates to the Cybersecurity Framework, but workshop participants had indicated they want NIST to have an ongoing role, said Adam Sedgewick, NIST senior information technology policy adviser. Stakeholders are most frequently using the Framework Core, which advises critical infrastructure owners and operators to identify systems in need of protection and advises on potential safeguards, Sedgewick said. NIST will need to provide additional guidance on the Framework Implementation Tiers and Framework Profiles, he said. Stakeholders indicated they didn’t fully understand the tiers but liked the concept, and said they weren’t frequently using the Framework Profiles, Sedgewick said. Stakeholders are also seeking additional guidance on framework use, such as a risk management “starter’s guide” and more illustrative applications of the framework beyond the document itself, Stine said.
State and international officials said during the workshop that they're finding ways to apply the NIST framework to cybersecurity efforts beyond federal agencies and critical infrastructure sectors. State regulatory bodies are “very unlikely” to apply the NIST framework as a mandated standard for their utilities, but they will likely view it as a “good indicator” of prudent decision-making on cyber risk management if a utility seeks aid from a regulator, said Miles Keogh, National Association of Regulatory Utility Commissioners director-grants and research. State regulators are likely to adhere largely to the NIST framework instead of trying to “reinvent the wheel” given the largely positive feedback circulating about the framework, Keogh said.
Rhode Island was an early adopter of the NIST framework, which was a “natural fit” with cybersecurity efforts that were already ongoing in the state at the time President Barack Obama signed the cybersecurity executive order in February 2013 that directed NIST to facilitate the framework's creation, said Rhode Island Emergency Management Agency Executive Director Jamia McDonald. The framework has helped Rhode Island re-evaluate some aspects of its earlier cybersecurity response, including more engagement with the state’s business community, McDonald said.
The U.K. is also using the NIST framework and is encouraging U.K. industry to align cyber risk management activities with the framework, said James Snook, Office of Cyber Security and Information Assurance senior policy adviser. The U.K. government considered creating a separate U.K.-centric cybersecurity framework but believed that there was a possibility of fragmentation and that the NIST framework had significant benefits for harmonization, Snook said. Like the U.S., the U.K. believes the NIST framework’s core strength is its flexibility, he said. U.K. industry already was involved in creating the NIST framework and has a natural incentive to use it, Snook said.