On December 5, 2014, the National Institute of Standards and Technology (“NIST”) released an update on the Implementation of the Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). NIST issued this framework in response to President Obama's February 2013 Critical Infrastructure Executive Order in his February 2014 order earlier this year. This update is based on feedback NIST received at his October 6th Cybersecurity Framework Workshop and responses to an August request for information.
The December 5th update reviews a number of issues related to framework implementation. Most notably, this update reports that while there is general awareness of the framework among critical infrastructure sectors, that awareness could improve among small and medium-sized enterprises. is. Stakeholders also believe that this Framework, and in particular the common practices outlined at the core of the Framework, provide a means of communicating expectations within and between businesses and other organizations in a sector. He pointed out that there was. NIST found that while some stakeholders use the framework as a benchmark for their operations, other stakeholders explicitly avoid using the framework as a benchmark for their operations. Did. In this regard, NIST notes that of his three components of the framework (core layer, profile layer, and implementation layer), the implementation layer “appears to be the least used part of the framework.” I am reporting. In other words, although the framework has been adopted as a common way to consider cybersecurity systems, stakeholders are unlikely to use it to determine the implementation of that system. . Many stakeholders requested guidance regarding “real world” use of the implementation layer. However, some still express reservations that the framework could be used as a regulatory tool.
NIST says it is still too early to update the framework because more time is needed to understand the current version. However, NIST has indicated that it will focus on providing guidance on the use of implementation layers in the coming months. Additionally, NIST noted that stakeholders have called on regulators to encourage use of the framework “with a clear statement of the voluntary nature of the document.” NIST does not currently have the opportunity to formally comment on the framework, but is accepting feedback at cyberframeworks@nist.gov.
