NIST Requests Public Comments On Improving Cybersecurity Framework

February 25, 2022 - The National Institute of Standards and Technology (NIST) issued a request for public comments on improving the NIST Cybersecurity Framework, a resource initially launched in 2014 that established best practices and cybersecurity standards across the public and private sectors. NIST requested that experts submit comments no later than April 25, 2022.

The request also called for recommendations for updating NIST’s guidance on improving critical infrastructure security and supply chain security. NIST recently established the National Initiative for Improving Cybersecurity in Supply Chains (NIICS), which further catalyzed the need to integrate new standards into NIST’s existing framework.

“The Cybersecurity Framework was last updated in April 2018. Much has changed in the cybersecurity landscape in terms of threats, capabilities, technologies, education and workforce, and the availability of resources to help organizations to manage cybersecurity risk better,” the request for information stated.

“That includes an increased awareness of and emphasis on cybersecurity risks in supply chains, including a decision to launch NIICS. With those changes in mind, NIST seeks to build on its efforts to cultivate trust by advancing cybersecurity and privacy standards and guidelines, technology, measurements, and practices by requesting information about the use, adequacy, and timeliness of the Cybersecurity Framework and the degree to which other NIST resources are used in conjunction with or instead of the Framework.”

In its current form, the NIST Cybersecurity Framework aims to help organizations across all sectors identify, prepare, and respond to cyber threats.

But 2020 research from CynergisTek suggested that only 44 percent of healthcare organizations adhered to NIST’s standards, despite the increase in healthcare data breaches in recent years.

NIST is seeking industry feedback on the usefulness of its framework, challenges that may prevent organizations from using the framework, and any features that may need to be added or removed. A major focus of the request is on aligning the framework to other risk management resources.

“Are there commonalities or conflicts between the NIST framework and other voluntary, consensus resources?” NIST asked.  

“Are there commonalities or conflicts between the NIST framework and cybersecurity-related mandates or resources from government agencies?”

NIST’s increasing interest in supply chain security signifies a shift in the cyber threat landscape. A recent survey commissioned by CrowdStrike and conducted by Vanson Bourne found that organizations were losing trust in legacy IT vendors in light of recent cyberattacks that exposed severe supply chain security gaps.

High-profile cyberattacks, including those against Colonial Pipeline and Sunburst, put supply chain security issues in the spotlight. Issues in the healthcare supply chain could result in delays and patient safety issues.

Updated industry standards and best practices that reflect the ever-changing cyber threat landscape may help organizations manage risk more effectively.