NIST Wants Feedback on How to Strengthen its Cybersecurity Framework

The National Institute of Standards and Technology (NIST) wants to get comments on the advantages of its Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and ideas on any enhancements that may be made.

The NIST Cybersecurity Framework was introduced in 2014 to help public and private industry institutions to follow cybersecurity requirements and best practices to enhance their cybersecurity posture, better protect against cyber threats, and immediately determine and react to ongoing cyberattacks to restrict the damage that could be caused. The NIST Cybersecurity Framework is regarded as the gold standard for cyber threat management; nonetheless, that does not indicate enhancements couldn’t be made.

The latest update to the Cybersecurity Framework happened in April 2018. In the past four years, there have been substantial improvements to the cybersecurity threat landscape. New threats have surfaced, the tactics, techniques, and procedures (TTPs) utilized by cyber threat actors have improved, there are new technologies and security features, and more resources are accessible to help with the administration of cybersecurity risk. NIST is not looking at upgrading its Framework once again to take these variables into account.

The NIST Cybersecurity Framework has been used by numerous healthcare companies to strengthen cybersecurity, however, a number of healthcare institutions have experienced difficulties carrying out the Framework, and presently fewer than half of healthcare companies are keeping NIST standards. NIST would like to find out about the problems organizations have encountered putting into action the Framework and the commonalities and conflicts with other non-NIST frameworks and methods that are employed together with the NIST Cybersecurity Framework. There may be strategies for enhancing alignment or application of those approaches with the NIST Cybersecurity Framework. NIST wishes to receive recommendations on modifications that could be made to the characteristics of the Framework, functions that ought to be added or eliminated, and any other methods that NIST can develop the Framework to make it more beneficial.

Aside from the responses on the Cybersecurity Framework, NIST has requested feedback on potential advancements to other NIST guidance and standards, which include its guidance on bettering supply chain cybersecurity. NIST lately announced that it would start the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to deal with cybersecurity challenges in supply chains. NIST has asked for responses on challenges associated with the cybersecurity factors of supply chain risk management that can be resolved by the NIICS, and whether there are presently gaps in active cybersecurity supply chain risk management guidance and assets, such as the use of those resources to information and communications technology, operational technology, IoT, and industrial IoT.

NIST wants to receive all comments by April 25, 2022.