U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

    Publications

NIST SP 800-100 Rev. 1 (Initial Preliminary Draft)

PRE-DRAFT Call for Comments | Information Security Handbook: A Guide for Managers

Date Published: January 9, 2024
Comments Due: February 23, 2024
Email Comments to: sp800-100-comments@nist.gov

Announcement

Summary

NIST plans to update Special Publication (SP) 800-100, Information Security Handbook: A Guide for Managers, and is issuing this Pre-Draft Call for Comments to solicit feedback from users. The public is invited to provide input by February 23, 2024

Details

Since SP 800-100 was published in October of 2006, NIST has developed new frameworks for cybersecurity and risk management and released major updates to critical resources and references. This revision would focus the document’s scope for the intended audience and ensure alignment with other NIST guidance. Before revising, NIST would like to invite users and stakeholders to suggest changes that would improve the document’s effectiveness, relevance, and general use with regard to cybersecurity governance and the intersections between various organizational roles and information security.

NIST welcomes feedback and input on any aspect of SP 800-100 and additionally proposes a list of non-exhaustive questions and topics for consideration:

  • What role do you fill in your organization?
  • How have you used or referenced SP 800-100?
  • What specific topics in SP 800-100 are most useful to you?
  • What challenges have you faced in applying the guidance in SP 800-100?
  • Is the document’s current level of specificity appropriate, too detailed, or too general? If the level of specificity is not appropriate, why?
  • How can NIST improve the alignment between SP 800-100 and other frameworks and publications?
  • What new cybersecurity capabilities, challenges, or topics should be addressed?
  • What current topics or sections in the document are out of scope, no longer relevant, or better addressed elsewhere?
  • Are there other substantive suggestions that would improve the document?
  • Specific topics to consider for revision or improvement:
    • Cybersecurity governance
    • Role of information security in the software development life cycle (e.g., agile development)
    • Contingency planning and the intersection of roles across organizations
    • Risk management
      • Enterprise risk management
      • Supply chain risk management and acquisitions
      • Metrics development and cybersecurity scorecard
    • System authorizations
    • Relationship between privacy and information security programs

The comment period is open through February 23, 2024. Please submit comments to sp800-100-comments@nist.gov with "Comments on Information Security Handbook: A Guide for Managers” in the subject field. We encourage you to use this comment template.

Abstract

Control Families

None selected

Documentation

Publication:
See SP 800-100 (pdf)

Supplemental Material:
Comment template (xlsx)

Document History:
01/09/24: SP 800-100 Rev. 1 (Draft)