Experience With the Framework for Improving Critical Infrastructure Cybersecurity

SUMMARY: The National Institute of Standards and Technology (NIST) requests information about the level of awareness throughout critical infrastructure organizations, and initial experiences with the Framework for Improving Critical Infrastructure Cybersecurity (the "Framework"). As directed by Executive Order 13636, "Improving Critical Infrastructure Cybersecurity" (the "Executive Order"), the Framework consists of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Framework was released on February 12, 2014, after a year-long, open process involving private and public sector organizations, including extensive input and public comments.

Responses to this RFI--which will be posted at http://www.nist.gov/cyberframework/cybersecurity-framework-rfi.cfm --will inform NIST's planning and decision-making about possible tools and resources to help organizations to use the Framework more effectively and efficiently. They will also help inform future versions of the Framework. The responses will also inform the Department of Homeland Security'sCritical Infrastructure Cyber Community C3 Voluntary Program. In addition, NIST is interested in receiving comments related to the Roadmap that accompanied publication of the Framework. All information provided will also assist in developing the agenda for a workshop on the Framework being planned for October 2014.

DATES: Comments must be received by 5:00 p.m. Eastern time on October 10, 2014.

ADDRESSES: Written comments may be submitted by mail to Diane Honeycutt, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899. Online submissions in electronic form may be sent to [email protected] in any of the following formats: HTML; ASCII; Word; RTF; or PDF. Please submit comments only and include your name, organization's name (if any), and cite "Experience with the Framework for Improving Critical Infrastructure Cybersecurity" in all correspondence. Comments containing references, studies, research, and other empirical data that are not widely published should include copies of the referenced materials.

All comments received in response to this RFI will be posted at http://www.nist.gov/cyberframework/cybersecurity-framework-rfi.cfm without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information).

FOR FURTHER INFORMATION CONTACT: For questions about this RFI contact: Adam Sedgewick, U.S. Department of Commerce, 1401 Constitution Avenue NW., Washington, DC 20230, telephone (202) 482-0788, email [email protected]. Please direct media inquiries to NIST's Office of Public Affairs at (301) 975-2762.

SUPPLEMENTARY INFORMATION: The national and economic security of the United States depends on the reliable functioning of critical infrastructure, /1/ which has become increasingly dependent on information technology. Recent cyber attacks and publicized weaknesses reinforce the need for improved capabilities for defending against malicious cyber activity. This will be a long-term challenge. Additional steps must be taken to enhance existing efforts to increase the protection and resilience of critical infrastructure, while maintaining a cyber environment that encourages efficiency, innovation, and economic prosperity while also protecting privacy and civil liberties.

FOOTNOTE 1 For the purposes of this RFI the term "critical infrastructure" has the meaning given the term in 42 U.S.C. 5195c(e): "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." END FOOTNOTE

By Executive Order, /2/ the Secretary of Commerce was tasked to direct the Director of the National Institute of Standards and Technology (NIST) to lead the development of a voluntary framework to reduce cyber risks to critical infrastructure (the "Framework"). /3/ The Framework consists of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks. The Framework was developed by NIST using information collected through the RFI that was published in the Federal Register on February 25, 2013, a series of open public workshops, and a 45-day public comment period announced in the Federal Register on October 29, 2013. It was published on February 12, 2014, after a year-long, open process involving private and public sector organizations, including extensive input and public comments, and announced in the Federal Register (79 FR 9167) on February 18, 2014.

FOOTNOTE 2 Exec. Order No. 13636, Improving Critical Infrastructure Cybersecurity, 78 FR 11739 (February 19, 2013). END FOOTNOTE

FOOTNOTE 3 https://www.federalregister.gov/articles/2014/02/18/2014-03495/ cybersecurity-framework. END FOOTNOTE

Given the diversity of sectors in the Nation's critical infrastructure, the Framework development process was designed to build on cross-sector security standards and guidelines that are immediately applicable or likely to be applicable to critical infrastructure, to increase visibility and adoption of those standards and guidelines, and to find potential areas for improvement (i.e., where standards/guidelines are nonexistent or where existing standards/guidelines are inadequate) that need to be addressed through future collaboration with industry and industry-led standards bodies. The Cybersecurity Framework incorporates voluntary consensus standards and industry best practices to the fullest extent possible and is consistent with voluntary international consensus-based standards when such international standards advance the objectives of the Executive Order. The Framework is designed for compatibility with existing regulatory authorities and regulations, although it is intended for voluntary adoption.

While the focus of the Framework is on the Nation's critical infrastructure, it was developed in a manner to promote wide adoption of practices to increase risk management-based cybersecurity across all industry sectors and by all types of organizations.

NIST remains committed to helping organizations understand and use the Framework. In the five-plus months since the document was published, NIST has reached out and responded to a large number of organizations to raise awareness, answer questions, and learn about their experiences with the Framework.

NIST has worked closely with industry groups, associations, non-profits, government agencies, and international standards bodies to increase awareness of the Framework. NIST has promoted the use of the Framework as a basic, flexible, and adaptable tool for managing and reducing cybersecurity risks, most frequently working in partnership with leaders at all levels of stakeholder organizations.

While the initial focus was on cross-sector needs, Section 8(b) of the Executive Order called on "Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments." NIST has participated in these and similar industry-government collaborative activities, in some cases serving in an advisory capacity.

In the time since the Framework's publication, NIST's primary goal has been to raise awareness of the Framework and how it can be used to manage cyber risks, in order to assist industry sectors and organizations to gain experience with it. While NIST appreciates that widespread implementation of the Framework can only occur over time, NIST views extensive voluntary use as critical to achieving the goals of the Executive Order. For these reasons, NIST is interested in learning about individual companies' and other organizations' knowledge of and experiences with the Framework. NIST wants to better understand how companies and organizations in all critical infrastructure sectors are approaching and making specific use of the Framework, in accordance with Section 7(f) of the Executive Order. This includes learning about which aspects of the Framework have been helpful or challenging, and about whether and how the Framework has been used to modify and strengthen management of cyber risks. The RFI responses will also inform the Department of Homeland Security'sCritical Infrastructure Cyber Community C3 Voluntary Program. /4/

FOOTNOTE 4 http://www.us-cert.gov/ccubedvp. END FOOTNOTE

NIST understands that at this early stage the Framework may be used in a variety of ways, including: participation in a sector group that is reviewing how the Framework can best be implemented and coordinated with ongoing or planned initiatives; initial high-level review of an organization's current management of cyber risk; and more intensive deployment as an organization's guiding approach to managing its cyber risk.

In addition to seeking comments from individual critical infrastructure owners and operators of all sizes and their representatives from sector and professional associations, NIST invites submissions from Federal agencies, state, local, territorial and tribal governments, standard-setting organizations, /5/ other members of industry, consumers, solution providers, and other stakeholders.

FOOTNOTE 5 As used herein, "standard-setting organizations" refers to the wide cross section of organizations that are involved in the development of standards and specifications, both domestically and abroad. END FOOTNOTE

Request for Information

The following questions cover the major areas about which NIST seeks comment. They are not intended to limit the topics that may be addressed. Responses may include any topic believed to have implications for the degree of awareness and voluntary use and subsequent improvement of the Framework, regardless of whether the topic is included in this document.

--This is a summary of a Federal Register article originally published on the page number listed below--

Notice; Request for Information (RFI).

Citation: "79 FR 50891"

Document Number: "Docket Number: 140721609-4609-01"

Federal Register Page Number: "50891"

"Notices"