As the National Institute of Standards and Technology (NIST) works to update its influential Cybersecurity Framework – first issued in 2014 and later updated in 2018 – a NIST official said on May 17 that the agency is leaning on industry feedback as it embarks on the new update.
Kevin Stine, chief of the Applied Cybersecurity Division at NIST, recounted that NIST issued a request for information (RFI) in February that looked to gather input on three buckets: the Cybersecurity Framework, cybersecurity resources, and supply chain cybersecurity.
The RFI closed at the end of April, and Stine said that of the 130-135 comment submissions NIST received, most of them focused on the Cybersecurity Framework.
Stine said NIST was “thrilled” with the volume of feedback it received, and with submissions from a variety of organizations – including associations that represent “thousands and thousands of companies across the sector and, quite honestly, around the world.”
“The RFI was really the beginning of the stakeholder engagement, so it’s a great opportunity for us to get some early feedback to help shape our plans over the next several months and beyond as we embark on this framework update with all of you,” Stine said during the FISSEA Spring Forum on May 17.
Stine said NIST will publish different drafts and resources “over the coming months and beyond,” and encouraged stakeholders to “stay tuned.”
“I would say coming up soon, we will likely issue a summary analysis of the RFI responses over the next several weeks or month or so, as we pore through those,” Stine said. “We’ll want to identify key themes that emerge from the RFI responses and provide that feedback to the community both for awareness as well as for validation.”
“And then we’ll have some other events and opportunities to engage through future workshops – both virtual and in-person ideally – over the coming months and beyond,” he added.