NIST Solicits Feedback on Industry Adoption of Cybersecurity Framework

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Aug. 26 — The National Institute of Standards and Technology Aug. 26 launched a 45-day comment period on the private sector's experience so far with using the agency's cybersecurity framework (79 Fed. Reg. 50,891, 8/26/14).

The information gathered by NIST through a request for information published in the Federal Register will affect the agency's decisions about possible tools and resources to help organizations use the framework more effectively, according to an Aug. 22 statement by NIST.

“We've seen organizations approach the framework in different ways,” NIST Senior Policy Analyst Adam Sedgewick said in the NIST statement. “Some are using it to start conversations within their organizations or across their sectors, others to create detailed cyber risk management plans. We want to hear from all stakeholders to understand how they've used the framework, how it's been helpful, and where challenges may lie.”

Broad Adoption Envisioned

An executive order signed by President Barack Obama in 2013 required NIST, a division of the Department of Commerce, to develop a framework consisting of voluntary cybersecurity best practices for U.S. “critical infrastructure” sectors, such as banks and telecommunications providers.

In February, NIST issued a final framework, and the Department of Homeland Security set up a new program to assist interested companies with implementation.

Although the framework is focused on the nation's critical infrastructure, it is designed to improve cybersecurity practices across all industries and by all types of organizations, according to the request for information. The framework is intended for voluntary industry adoption, although it was crafted to be compatible with existing regulatory authorities and regulations, NIST said.

In addition to helping NIST with considering new tools and resources, responses to the request for information are also expected to frame the discussion at a cybersecurity framework workshop that is scheduled to be held by the agency Oct. 29-30 in Tampa, Fla. Comments will also inform the DHS program, NIST said.

Extensive Feedback Sought

Questions posed in the request for information include:

• Which sectors and organizations are actively planning to, or already are, using the framework, and how?

• Has the framework helped organizations to understand the importance of managing cybersecurity risk?

• What benefits have been realized by early experiences with the framework?

• Have organizations using the framework integrated it with their broader enterprise risk management program?

• What are the greatest challenges and opportunities for NIST, the federal government more broadly and the private sector when it comes to improving awareness of the framework?

• To what extent are federal regulators aware of the framework and taking “visible actions” reflecting such awareness?


All responses will be posted on NIST's website after the comment period closes Oct. 10, the agency said.

The request for information is available at


Request Bloomberg Law Privacy and Data Security