Experience With the Framework for Improving Critical Infrastructure Cybersecurity
Federal Information & News Dispatch, Inc. |
SUMMARY:
Responses to this
DATES: Comments must be received by
ADDRESSES: Written comments may be submitted by mail to
All comments received in response to this
FOR FURTHER INFORMATION CONTACT: For questions about this
SUPPLEMENTARY INFORMATION: The national and economic security of
FOOTNOTE 1 For the purposes of this
By Executive Order, /2/ the Secretary of Commerce was tasked to direct the Director of the
FOOTNOTE 2 Exec. Order No. 13636, Improving Critical Infrastructure Cybersecurity, 78 FR 11739 (
FOOTNOTE 3 https://www.federalregister.gov/articles/2014/02/18/2014-03495/ cybersecurity-framework. END FOOTNOTE
Given the diversity of sectors in the Nation's critical infrastructure, the Framework development process was designed to build on cross-sector security standards and guidelines that are immediately applicable or likely to be applicable to critical infrastructure, to increase visibility and adoption of those standards and guidelines, and to find potential areas for improvement (i.e., where standards/guidelines are nonexistent or where existing standards/guidelines are inadequate) that need to be addressed through future collaboration with industry and industry-led standards bodies. The Cybersecurity Framework incorporates voluntary consensus standards and industry best practices to the fullest extent possible and is consistent with voluntary international consensus-based standards when such international standards advance the objectives of the Executive Order. The Framework is designed for compatibility with existing regulatory authorities and regulations, although it is intended for voluntary adoption.
While the focus of the Framework is on the Nation's critical infrastructure, it was developed in a manner to promote wide adoption of practices to increase risk management-based cybersecurity across all industry sectors and by all types of organizations.
NIST remains committed to helping organizations understand and use the Framework. In the five-plus months since the document was published, NIST has reached out and responded to a large number of organizations to raise awareness, answer questions, and learn about their experiences with the Framework.
NIST has worked closely with industry groups, associations, non-profits, government agencies, and international standards bodies to increase awareness of the Framework. NIST has promoted the use of the Framework as a basic, flexible, and adaptable tool for managing and reducing cybersecurity risks, most frequently working in partnership with leaders at all levels of stakeholder organizations.
While the initial focus was on cross-sector needs, Section 8(b) of the Executive Order called on "Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments." NIST has participated in these and similar industry-government collaborative activities, in some cases serving in an advisory capacity.
In the time since the Framework's publication, NIST's primary goal has been to raise awareness of the Framework and how it can be used to manage cyber risks, in order to assist industry sectors and organizations to gain experience with it. While NIST appreciates that widespread implementation of the Framework can only occur over time, NIST views extensive voluntary use as critical to achieving the goals of the Executive Order. For these reasons, NIST is interested in learning about individual companies' and other organizations' knowledge of and experiences with the Framework. NIST wants to better understand how companies and organizations in all critical infrastructure sectors are approaching and making specific use of the Framework, in accordance with Section 7(f) of the Executive Order. This includes learning about which aspects of the Framework have been helpful or challenging, and about whether and how the Framework has been used to modify and strengthen management of cyber risks. The
FOOTNOTE 4 http://www.us-cert.gov/ccubedvp. END FOOTNOTE
NIST understands that at this early stage the Framework may be used in a variety of ways, including: participation in a sector group that is reviewing how the Framework can best be implemented and coordinated with ongoing or planned initiatives; initial high-level review of an organization's current management of cyber risk; and more intensive deployment as an organization's guiding approach to managing its cyber risk.
In addition to seeking comments from individual critical infrastructure owners and operators of all sizes and their representatives from sector and professional associations, NIST invites submissions from Federal agencies, state, local, territorial and tribal governments, standard-setting organizations, /5/ other members of industry, consumers, solution providers, and other stakeholders.
FOOTNOTE 5 As used herein, "standard-setting organizations" refers to the wide cross section of organizations that are involved in the development of standards and specifications, both domestically and abroad. END FOOTNOTE
Request for Information
The following questions cover the major areas about which NIST seeks comment. They are not intended to limit the topics that may be addressed. Responses may include any topic believed to have implications for the degree of awareness and voluntary use and subsequent improvement of the Framework, regardless of whether the topic is included in this document.
--This is a summary of a
Notice; Request for Information (RFI).
Citation: "79 FR 50891"
Document Number: "Docket Number: 140721609-4609-01"
Federal Register Page Number: "50891"
"Notices"
Copyright: | (c) 2014 Federal Information & News Dispatch, Inc. |
Wordcount: | 1445 |
Companion Property And Casualty Being Sold To Bermuda Company
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News