The National Institute of Standards and Technology wants to know whether companies that operate the nation’s most critical infrastructure are aware of the cybersecurity framework released in February and what impact the framework is having on their security environment.
In a request for information released Aug. 26, NIST outlined several questions aimed at gauging the use and effectiveness of its collaborative work with industry to develop best practices and voluntary standards for detecting, preventing, responding to and recovering from a cyberattack.
The framework is primarily intended for organizations that control the nation’s most critical systems, such as transportation and water. Attacks on such organizations or the infrastructure they manage could result in great economic damage or loss of life. But any company or government agency can adapt the framework to fit its needs.
Collaboration has been a major theme throughout the development of the cybersecurity framework, and the RFI is an extension of NIST’s ongoing partnership with industry and the public to consider and incorporate their feedback. Comments are due by Oct. 10.
Here are some of the questions included in the RFI:
- What is the extent of awareness of the framework among the nation's critical infrastructure organizations? Six months after the framework was issued, has it gained the traction needed to be a factor in how organizations manage cyber risks in the nation's critical infrastructure?
- If your sector is regulated, do you think your regulator is aware of the framework, and do you think it has taken any visible actions reflecting such awareness?
- Which sectors and organizations are actively planning to, or already are, using the framework and how?
- What expectations have not been met by the framework and why? Specifically, what about the framework is most helpful and why? What is least helpful and why?
- Are organizations leveraging Section 3.5 of the Framework (“Methodology to Protect Privacy and Civil Liberties”) and, if so, what are their initial experiences? If organizations are not leveraging this methodology, why not?
NIST also wants feedback on whether there is awareness of the framework internationally, given the connected nature of digital assets globally. But the government may never know how broadly the framework is being used because companies don’t have to report if and how they are using it, Federal Times reported earlier this year.
RFI responses will be published online and “will inform NIST's planning and decision-making about possible tools and resources to help organizations to use the framework more effectively and efficiently,” according to NIST. The feedback will also inform development of future versions of the framework and the Department of Homeland Security's Critical Infrastructure Cyber Community (C3) Voluntary Program.
NIST plans to host a workshop on the framework in October.