The NIST is soliciting public feedback as it prepares to update its Cybersecurity Framework (CSF) for the second time. The CSF was first published in 2014, and then updated in 2018 to reflect more recent technological advancements.
As before, the planned 2022 update is not a response to any particular development, but is instead in keeping with the NIST’s regular schedule to ensure that the CSF remains relevant and accurately reflects the state of the cybersecurity industry. The NIST is asking the public to weigh in about any issues they may have with the current CSF, and about the changes they would like to see in a future iteration. Those who do will give the organization the opportunity to address those concerns in the forthcoming Framework.
In that regard, the NIST is seeking input in three primary categories. The first concerns the current CSF, and asks whether or not it is working as intended. The NIST specifically wants to know if there are any parts of the CSF that prevents organizations from implementing its guidelines, and what it can do to make the CSF more user-friendly.
The second category concerns interoperability, which is to say that the NIST wants to know how well the CSF works with other NIST frameworks, and with other third-party cybersecurity resources. The organization believes that security resources should be complementary, and help foster the creation of a more comprehensive cybersecurity environment.
Finally, the NIST is calling particular attention to the subject of supply chains. The organization noted that a growing number of cyberthreats are targeting supply chains, and is seeking advice that will help protect those supply chains from cybercriminals. Those recommendations are expected to help support the NIST’s recently launched National Initiative for Improving Cybersecurity in Supply Chains (NIICS).
“Every organization needs to manage cybersecurity risk as a part of doing business,” said Commerce Deputy Secretary Don Graves. “The CSF is one of the leading frameworks for private sector cybersecurity maintenance. We want private and public sector organizations to help make it even more useful and widely used, including by small companies.”
On that front, the NIST noted that the CSF is one of the most influential cybersecurity documents in the world. Previous versions have already been downloaded more than 1.6 million times and translated into six languages, and have also served as a template for other cybersecurity frameworks. The deadline for submitting comments is April 25.