- The NIST Cybersecurity Framework will receive a minor update, which will include updating the informative references, clarifying guidance for implementation tiers, and placement of cyber threat intelligence in the core, according to a recent NIST announcement.
Furthermore, NIST will update its guidance for applying the Framework for supply chain risk management.
The updates and clarification follow NIST gathering feedback and suggestions from various industry stakeholders over the past two years. A draft of the next Framework version will be available for comment in 2017.
While the Framework was originally released in December 2014, a request for information (RFI) was issued in December 2015. NIST received 105 responses, and the feedback covered areas such as Framework use, best practices for using the Framework, and options for its long-term use.
A workshop was also held earlier this year, where stakeholders were encouraged to share case studies, best practices, and overall analysis of how they have used the Framework.
According to NIST, the evolution and maintenance of the Framework was a key part of the RFI and the workshop. However, many participants felt that it was too early to implement a new governance structure.
“In the event of increased private sector leadership of the Framework, private sector recommended that NIST still be substantively involved, continuing to guide the discussion,” the summary explained.
In terms of updating the Framework, NIST explained that it will proceed with a minor update. The agency maintained that it did not want to disrupt current Framework users, and hoped that any disruption would be minimal as it attempts to clarify and refine the Framework.
Per RFI and Workshop feedback, NIST will continue its role as convener of Framework stakeholders. Additionally, NIST observes many positive practices in supporting Framework use and sharing “best practices" in sectors and communities. To institutionalize the process of Framework maintenance and evolution, and to highlight positive Framework practices in sectors and communities, NIST will publish a Framework governance methodology as a part of the upcoming minor update.
NIST added that it has also started a “self-assessment criteria to support organizational understanding of cybersecurity risk management business practices.”
The summary also advised stakeholders to continue the process of sharing information about the Framework, to further assist others. Specifically, NIST recommended stakeholders do the following:
- Customize the Framework for your sector or community
- Publish a sector or community Profile or relevant “crosswalk”
- Advocate for the Framework throughout your sector or community, with related sectors and communities
- Publish “summaries of use” or case studies of your Framework implementation
- Share your Framework resources with NIST
Earlier this year, NIST also published some of the comments that it received on how the Framework could be improved. For healthcare specifically, one participant agreed that “a common set of consensus-based, industry-led guidelines, best practices, methodologies, procedures, and processes in relation to privacy and information security risk management” would be beneficial.
Having a collaborative process that also limits disruption to current Framework users was also one of the received comments.
In some ways though, the healthcare industry is already making great strides in how to successfully implement and use the Framework. In February, the Office for Civil Rights (OCR) released a crosswalk to help covered entities identify “mappings” between the HIPAA Security Rule and NIST Cybersecurity Framework.
“This crosswalk maps each administrative, physical and technical safeguard standard and implementation specification in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework Subcategory,” OCR explained. “Due to the granularity of the NIST Cybersecurity Framework’s Subcategories, some HIPAA Security Rule requirements may map to more than one Subcategory.”