NIST recently issued a Request for Information (RFI) asking for information that would improve the effectiveness of the Cybersecurity Framework (CSF) for a potential update. As a part of this initiative, NIST wants to better understand how the CSF is being used today and to learn what’s working and what’s not. NIST also wants to explore better ways to align the CSF with other NIST guidance, such as the Privacy Framework, Secure Software Development Framework, Risk Management Framework, NICE Workforce Framework, and its series on IoT cybersecurity. NIST wants to know what would help use these tools together more effectively. NIST also recently launched a public-private partnership, called the National Initiative for Improving Cybersecurity in Supply Chains (NIICS), to address supply chain cybersecurity risks. NIST is requesting information that will help identify supply-chain-related cybersecurity needs and harmonize the NIICS initiative with the CSF.
As NIST is considering these changes, it would like to hear from the Forum participants, including on the following questions:
- What areas could be improved in the CSF?
- Could structural changes to the CSF help?
- What challenges have prevented organizations from using the CSF more effectively?
- What are the gaps in existing cybersecurity supply chain risk management guidance and resources, including how they apply to open source software, operational technology, IoT, and industrial IoT?
- How can NIST build on its current work on supply chain security, including software security work stemming from Executive Order 14028, Improving the Nation's Cybersecurity, to increase trust and assurance in technology products and services?
We welcome speaker submissions on related topics, particularly on how Departments and Agencies are currently using the CSF. Please submit speaker submissions to sec-forum@nist.gov by March 14, 2022.
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
