The National Institute of Standards and Technology (NIST) has updated its Cybersecurity Framework in response to user comments that the original framework was too vague in its Implementation Tiers, the measure by which organizations gauge their approach to managing cybersecurity risk.
“We are working from all of the feedback we’ve received since the framework was published on its use, best practices, outreach, prospective updates, and governance,” said Matthew Barrett, NIST Cybersecurity Framework program manager. “The minor updates we have planned for the framework should not disrupt anyone’s ongoing framework use.”
NIST sent out a request for information on the framework in December 2015 and used the responses to that request, as well as an April 2016 workshop, to inform updates on the system.
The original document, titled the Framework for Improving the Critical Infrastructure Cybersecurity, was drafted in February 2014 in response to an executive order on improving critical infrastructure cybersecurity and provides a voluntary design for how to best address the security of critical infrastructure like transportation and banking.
In addition to updating the Implementation Tiers, NIST is also undertaking three more changes based on the feedback:
- Publish a governance process on framework maintenance and evolution.
- Act as a convergence point for those involved in the framework.
- Continue framework outreach, focusing on international, small, and medium-sized businesses and regulators.
NIST is also developing a Cybersecurity Excellence Builder, to help organizations assess their risk management and cybersecurity practices more easily.
A draft of the update will be released in 2017, and NIST is reminding users that it is always seeking feedback on the Framework.