- The National Institute for Standards and Technology (NIST) is seeking public comments on its Framework for Improving Critical Infrastructure Cybersecurity, which was released in February of 2014.
According to a NIST press release, the organization is looking for comments on how the NIST Cybersecurity Framework has functioned since implementation, as well as suggestions for improvements going forward. The comment period will last December 11, 2015 through February 9, 2016.
Specifically, NIST requests feedback on the following items:
• the variety of ways in which the NIST Cybersecurity Framework is being used to improve cybersecurity risk management,
• how best practices for using the NIST Cybersecurity Framework are being shared,
• the relative value of different parts of the NIST Cybersecurity Framework,
• the possible need for an update of the Framework, and
• options for the long-term management of the Framework.
The NIST Cybersecurity framework, which was a private and public collaborative venture between NIST and other private stakeholders, sought to streamline various security interests including provider, policy, and business interests.
After being prompted by the President to create a national cybersecurity framework, NIST developed the Framework for Improving Critical Infrastructure Cybersecurity. This NIST Cybersecurity Framework created a standard set of protocols and best practices, regardless of business sector. Since the NIST Cybersecurity Frameworks release, NIST has seen it be adopted by several organizations across the nation.
“Since releasing the Framework in February 2014, NIST has been educating a broad audience about the Framework's use and value. TheNIST Cybersecurity Framework is being employed across the country, in a host of sectors, and by organizations ranging from multinationals to small businesses. The proposed value of Framework has been validated through a large volume and breadth of interactions between NIST and industry,” NIST explains on its website.
NIST hopes that this public request for information can help them update their framework to the ever changing needs of the cybersecurity industry. By making periodical evaluations of the framework, NIST will in theory be able to update it to function most efficiently within the industry.
“To fulfill its responsibilities under the Cyber Security Enhancement Act of 2014, NIST is committed to maintaining an inclusive approach that incorporates the views of a wide array of individuals, organizations and sectors,” NIST explained in its press release.
NIST experts explain the NIST Cybersecurity Framework is a method by which healthcare organizations can understand their cybersecurity plans.
In a recent interview with HealthITSecurity.com, NIST’s Manager of Information Technology Laboratory (Security Outreach and Integration) Kevin Stine explained how the NIST Cybersecurity Framework can help educate the healthcare industry in cybersecurity practices.
“The top line on the Cybersecurity Framework is it’s very much a tool that organizations understand how to manage and communicate cybersecurity risk,” Stine said.
Furthermore, Stine explained that the framework goes beyond implementing best practices within an organization; it helps those organizations communicate cybersecurity risk with other security professionals and business partners.
“That’s not just within an organization’s boundaries, from the C-suite and down to the tactical bits and bytes folks, but it’s also horizontally using the framework as a means to understand and express cybersecurity requirements to partners and suppliers you may be doing business with in other organizations,” he explained.
“Having a strong, standards-based approach provides a solid foundation across not only the healthcare space, but also to using the framework as a way to communicate and express cybersecurity requirements across different sectors,” Stine continued.
Ultimately, Stine says the framework is about creating a common language across security sectors to help facilitate conversation and allow them to help each other with security best practices. Creating those lines of communication will help fill gaps that are occurring in the cybersecurity industry.
“A lot of our engagement with different parts of industry around the cybersecurity framework is really focusing on using the framework as that common language that can help different parties, whether it be from a single sector or multiple sectors,” he said. “Having that valuable conversation is really going a long way to tighten relationships and forge new ones across different sectors.”