NIST Moves to Update Cybersecurity Framework

On February 22, 2022, the National Institute of Standards and Technology (NIST) published a request for comments and information (RFI) on how to improve NIST Cybersecurity Resources: The Cybersecurity Framework (CSF).

CSF provides organizations with standards, guidelines, and best practices for managing cybersecurity risks. The framework was last updated in 2018 and, according to a statement by NIST Chief Cybersecurity Advisor Kevin Stine in a recent NIST News Alert, this is a “planned update to keep the CSF current and ensure that it is aligned with other tools that are commonly used.”

Proposed Changes

The RFI is specifically seeking feedback on the following items:

1. Questions 1–6: Use of the CSF

The first six questions seek commentary about the usefulness of CSF, including the five functions, benefits, challenges that prevent organizations from using the framework, any features that should be changed, added, or removed, and the impact to usability and backward compatibility if those modifications are made.

1. Questions 7–10: Relationship of the CSF to Other Risk Management Resources

Questions 7–10 seek commentary on how the CSF may be aligned or integrated into the broader cybersecurity or risk management environment, including other NIST resources, like the NIST Privacy Framework, as well as non-NIST frameworks and approaches.

1. Questions 11–14: C-SCRM

Question 11 seeks commentary on challenges related to the cybersecurity aspects of supply chain risk management, the manner in which the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) can address those challenges, and the efforts that NIST can take to increase trust and assurance in the devices utilized in cybersecurity management.

Questions 12–13 seek commentary on the approaches, tools, standards, guidelines, and resources that are utilized for cybersecurity supply chain risk management (C-SCRM) and the manner in which these things can be improved upon.

Question 14 seeks commentary on how C-SCRM could be further integrated into the updated CSF, or if NIST should issue a separate framework that is specifically focused on C-SCRM.

Next Steps

Commentary on these questions is due by April 25, 2022. Those interested in or impacted by these proposed changes should consider voicing commentary on these matters to ensure that the updated framework reflects the best-available data.

This is especially true as the NIST framework is likely to be utilized on an enforceable and widespread basis. In fact, according to a statement by Secure Code Warrior’s CTO and co-founder, Dr. Matias Madou, NIST is the “front-runner on the international scene regarding cybersecurity framework.”

Additionally, Dave Hinchman, acting director of the Government Accountability Office (GAO), stressed the importance of this update for government agencies that have been delaying the adoption of NIST’s cybersecurity framework. According to Hinchman, this delay is a result of challenges that are being incurred in implementing the framework as a result of gaps in implementation guidance and the inherently voluntary nature of NIST’s regulatory efforts.

Although Hinchman points out that NIST cannot change the voluntariness of its framework, it is important to note that on March 7, 2022, the White House issued a statement—connected with its Executive Order on Improving the Nation’s Cybersecurity—directing the Office of Management and Budget (OMB) to “take appropriate steps” to ensure compliance with NIST’s issued guidance on software development and supply chain security. As such, adoption of NIST guidance may be mandated amongst government agencies and, potentially, private entities—further reinforcing the importance of the public comment period.