NIST Updates Cybersecurity Framework, Calls for More Feedback



The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework was published in 2014, following a collaborative effort between industry, academia and government agencies, seeking to improve critical infrastructure. NIST Jan. 10 issued an update to the framework and also called for more public feedback on the update. 

The draft update incorporates comments from a previous request for feedback and adds details on managing “cyber supply chain risks,” clarifies terms and introduces “measurement methods for cybersecurity,” NIST said in a statement. “The original goal was to develop a voluntary framework to help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid, but the framework has been widely adopted by many types of organizations across the country and around the world,” NIST said.

The voluntary framework is often touted as a good standard to follow and is mentioned in various government memos, including a recent Office of Management and Budget memorandum that embraced a risk-based approach to data breach preparation for federal agencies. In September, Commerce Secretary Penny Pritzker said a recent cybersecurity recommendation by the Federal Communications Commission applied NIST’s Cybersecurity Framework to establish a mechanism where companies can voluntarily engage with regulators in a setting that would allow companies to share information that cannot be used against them.  

NIST said that the deadline to submit comments is April 10, 2017. 

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.