Experience With the Framework for Improving Critical Infrastructure Cybersecurity
|Federal Information & News Dispatch, Inc.|
Notice; Request for Information (RFI).
Citation: "79 FR 50891"
Document Number: "Docket Number: 140721609-4609-01"
Page Number: "50891"
Responses to this
DATES: Comments must be received by
ADDRESSES: Written comments may be submitted by mail to
All comments received in response to this
FOR FURTHER INFORMATION CONTACT: For questions about this
SUPPLEMENTARY INFORMATION: The national and economic security of
FOOTNOTE 1 For the purposes of this
By Executive Order, /2/ the Secretary of Commerce was tasked to direct the Director of the
FOOTNOTE 2 Exec. Order No. 13636, Improving Critical Infrastructure Cybersecurity, 78 FR 11739 (
FOOTNOTE 3 https://www.federalregister.gov/articles/2014/02/18/2014-03495/ cybersecurity-framework. END FOOTNOTE
Given the diversity of sectors in the Nation's critical infrastructure, the Framework development process was designed to build on cross-sector security standards and guidelines that are immediately applicable or likely to be applicable to critical infrastructure, to increase visibility and adoption of those standards and guidelines, and to find potential areas for improvement (i.e., where standards/guidelines are nonexistent or where existing standards/guidelines are inadequate) that need to be addressed through future collaboration with industry and industry-led standards bodies. The Cybersecurity Framework incorporates voluntary consensus standards and industry best practices to the fullest extent possible and is consistent with voluntary international consensus-based standards when such international standards advance the objectives of the Executive Order. The Framework is designed for compatibility with existing regulatory authorities and regulations, although it is intended for voluntary adoption.
While the focus of the Framework is on the Nation's critical infrastructure, it was developed in a manner to promote wide adoption of practices to increase risk management-based cybersecurity across all industry sectors and by all types of organizations.
NIST remains committed to helping organizations understand and use the Framework. In the five-plus months since the document was published, NIST has reached out and responded to a large number of organizations to raise awareness, answer questions, and learn about their experiences with the Framework.
NIST has worked closely with industry groups, associations, non-profits, government agencies, and international standards bodies to increase awareness of the Framework. NIST has promoted the use of the Framework as a basic, flexible, and adaptable tool for managing and reducing cybersecurity risks, most frequently working in partnership with leaders at all levels of stakeholder organizations.
While the initial focus was on cross-sector needs, Section 8(b) of the Executive Order called on "Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments." NIST has participated in these and similar industry-government collaborative activities, in some cases serving in an advisory capacity.
In the time since the Framework's publication, NIST's primary goal has been to raise awareness of the Framework and how it can be used to manage cyber risks, in order to assist industry sectors and organizations to gain experience with it. While NIST appreciates that widespread implementation of the Framework can only occur over time, NIST views extensive voluntary use as critical to achieving the goals of the Executive Order. For these reasons, NIST is interested in learning about individual companies' and other organizations' knowledge of and experiences with the Framework. NIST wants to better understand how companies and organizations in all critical infrastructure sectors are approaching and making specific use of the Framework, in accordance with Section 7(f) of the Executive Order. This includes learning about which aspects of the Framework have been helpful or challenging, and about whether and how the Framework has been used to modify and strengthen management of cyber risks. The
FOOTNOTE 4 http://www.us-cert.gov/ccubedvp. END FOOTNOTE
NIST understands that at this early stage the Framework may be used in a variety of ways, including: participation in a sector group that is reviewing how the Framework can best be implemented and coordinated with ongoing or planned initiatives; initial high-level review of an organization's current management of cyber risk; and more intensive deployment as an organization's guiding approach to managing its cyber risk.
In addition to seeking comments from individual critical infrastructure owners and operators of all sizes and their representatives from sector and professional associations, NIST invites submissions from Federal agencies, state, local, territorial and tribal governments, standard-setting organizations, /5/ other members of industry, consumers, solution providers, and other stakeholders.
FOOTNOTE 5 As used herein, "standard-setting organizations" refers to the wide cross section of organizations that are involved in the development of standards and specifications, both domestically and abroad. END FOOTNOTE
Request for Information
The following questions cover the major areas about which NIST seeks comment. They are not intended to limit the topics that may be addressed. Responses may include any topic believed to have implications for the degree of awareness and voluntary use and subsequent improvement of the Framework, regardless of whether the topic is included in this document.
While the Framework and associated outreach activities by NIST have focused on critical infrastructure, given the broad diversity of sectors that may include parts of critical infrastructure and the intention to continue to involve a broad set of stakeholders in use and evolution of the Framework, the
Comments containing references, studies, research, and other empirical data that are not widely published should include copies of the referenced materials. Do not include in comments or otherwise submit proprietary or confidential information, as all comments received in response to this
Current Awareness of the Cybersecurity Framework
Recognizing the critical importance of widespread voluntary usage of the Framework in order to achieve the goals of the Executive Order, and that usage initially depends upon awareness, NIST solicits information about awareness of the Framework and its intended uses among organizations.
1. What is the extent of awareness of the Framework among the Nation's critical infrastructure organizations? Six months after the Framework was issued, has it gained the traction needed to be a factor in how organizations manage cyber risks in the Nation's critical infrastructure?
2. How have organizations learned about the Framework? Outreach from NIST or another government agency, an association, participation in a NIST workshop, news media? Other source?
3. Are critical infrastructure owners and operators working with sector-specific groups, non-profits, and other organizations that support critical infrastructure to receive information and share lessons learned about the Framework?
4. Is there general awareness that the Framework:
a. Is intended for voluntary use?
b. Is intended as a cyber risk management tool for all levels of an organization in assessing risk and how cybersecurity factors into risk assessments?
c. Builds on existing cybersecurity frameworks, standards, and guidelines, and other management practices related to cybersecurity?
5. What are the greatest challenges and opportunities--for NIST, the Federal government more broadly, and the private sector--to improve awareness of the Framework?
6. Given that many organizations and most sectors operate globally or rely on the interconnectedness of the global digital infrastructure, what is the level of awareness internationally of the Framework?
7. If your sector is regulated, do you think your regulator is aware of the Framework, and do you think it has taken any visible actions reflecting such awareness?
8. Is your organization doing any form of outreach or education on cybersecurity risk management (including the Framework)? If so, what kind of outreach and how many entities are you reaching? If not, does your organization plan to do any form of outreach or awareness on the Framework?
9. What more can and should be done to raise awareness?
Experiences With the Cybersecurity Framework
NIST is seeking information on the experiences with, including but not limited to early implementation and usage of, the Framework throughout the Nation's critical infrastructure. NIST seeks information from and about organizations that have had direct experience with the Framework. Please provide information related to the following:
1. Has the Framework helped organizations understand the importance of managing cyber risk?
2. Which sectors and organizations are actively planning to, or already are, using the Framework, and how?
3. What benefits have been realized by early experiences with the Framework?
4. What expectations have not been met by the Framework and why? Specifically, what about the Framework is most helpful and why? What is least helpful and why?
5. Do organizations in some sectors require some type of sector specific guidance prior to use?
6. Have organizations that are using the Framework integrated it with their broader enterprise risk management program?
7. Is the Framework's approach of major components--Core, Profile, and Implementation Tiers--reasonable and helpful?
8. Section 3.0 of the Framework ("How to Use the Framework") presents a variety of ways in which organizations can use the Framework.
a. Of these recommended practices, how are organizations initially using the Framework?
b. Are organizations using the Framework in other ways that should be highlighted in supporting material or in future versions of the Framework?
c. Are organizations leveraging Section 3.5 of the Framework ("Methodology to Protect Privacy and Civil Liberties") and, if so, what are their initial experiences? If organizations are not leveraging this methodology, why not?
d. Are organizations changing their cybersecurity governance as a result of the Framework?
e. Are organizations using the Framework to communicate information about their cybersecurity risk management programs--including the effectiveness of those programs--to stakeholders, including boards, investors, auditors, and insurers?
f. Are organizations using the Framework to specifically express cybersecurity requirements to their partners, suppliers, and other third parties?
9. Which activities by NIST, the
10. Have organizations developed practices to assist in use of the Framework?
Roadmap for the Future of the Cybersecurity Framework
NIST published a Roadmap /6/ in
FOOTNOTE 6 http://www.nist.gov/cyberframework/upload/roadmap-021214.pdf END FOOTNOTE
1. Does the Roadmap identify the most important cybersecurity areas to be addressed in the future?
2. Are key cybersecurity issues and opportunities missing that should be considered as priorities, and if so, what are they and why do they merit special attention?
3. Have there been significant developments--in
Associate Director for Laboratory Programs.
[FR Doc. 2014-20315 Filed 8-25-14;
BILLING CODE 3510-13-P
|Copyright:||(c) 2014 Federal Information & News Dispatch, Inc.|