As part of its effort to evaluate and improve its cybersecurity resources—including the widely used NIST Cybersecurity Framework (CSF)—the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) has issued a request for information (RFI) by April 25. Feedback will support existing and potential standards, guidelines, and other information related to cybersecurity. As part of the effort, the NIST National Cybersecurity Center of Excellence (NCCoE) will host a virtual NCCoE Learning Series Fireside Chat February 24, 2022, at 3:00 p.m. ET, to provide more details about the RFI, the evolution of the CSF, and NIST’s future plans.
Per the February 22 Federal Register, NIST is seeking feedback in two areas:
Focus Area 1: Evaluating and Improving the NIST Cybersecurity Framework (CSF)
In an effort to better understand opportunities for greater alignment and harmonization of the CSF with other resources, and to provide more effective support to organizations as they manage different types of cybersecurity risks, NIST is seeking information about the use, adequacy, and timeliness of the CSF. It also seeks to look at the degree to which other NIST resources (e.g., the Privacy Framework, Risk Management Framework, Secure Software Development Framework, and NICE Workforce Framework) are used in conjunction with, or instead of, the CSF.
In addition, NIST seeks information about “challenges that may prevent organizations from using the CSF or using it more easily or extensively (e.g., resource considerations, organizational factors, workforce gaps, or complexity).” NIST reports that it seeks to better understand how the CSF is being used today—along with recognizing what’s working and what could work better.
Focus Area 2: Evaluating and Improving Cybersecurity Supply Chain Risk Management
NIST is also examining the challenges organizations are facing from a technology supply chain perspective to inform a public-private partnership, the National Initiative for Improving Cybersecurity in Supply Chains (NIICS). Additionally, NIST will examine whether there are additional approaches, tools, standards, guidelines, or other resources that NIST should consider to achieve greater assurance throughout the software supply chain, including for open source software.
Information will help NIST to identify and prioritize supply chain–related cybersecurity needs across sectors.
For additional details or to submit comments on the RFI, visit NIST’s website.