NIST is seeking information on the Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). As directed by Executive Order 13636, Improving Critical Infrastructure Cybersecurity (the “Executive Order”), the Framework consists of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Framework was released on February 12, 2014, after a year-long open process involving private and public sector organizations, including extensive industry input and public comments. In order to fulfill its responsibilities under the Cyber Security Enhancement Act of 2014, NIST is committed to maintaining an inclusive approach, informed by the views of a wide array of individuals, organizations, and sectors.
In this RFI, NIST requests information about the variety of ways in which the Framework is being used to improve cybersecurity risk management, how best practices for using the Framework are being shared, the relative value of different parts of the Framework, the possible need for an update of the Framework, and options for the long-term governance of the Framework. This information is needed in order to carry out NIST's responsibilities under the Cybersecurity Enhancement Act of 2014 and the Executive Order.
Responses to this RFI—which will be posted at https://www.nist.gov/cyberframework/additional-information/rfis/rfi-december-11-2015—will inform NIST's planning and decision-making about how to further advance the Framework so that the Nation's critical infrastructure is more secure by enhancing its cybersecurity and risk management.
All information provided will also assist in developing the agenda for a Cybersecurity Framework Workshop 2016 on the Framework being planned by NIST for April 6 and 7, 2016, in Gaithersburg, Maryland. Specifics about the workshop will be announced at a later date.