The National Institutes of Standards and Technology (NIST) has announced that there will be a minor NIST Cybersecurity Framework update in early 2017.
NIST sought suggestions from industry stakeholders over a period of two years since the NIST Cybersecurity framework was published. NIST issued a request for information (RFI) in December 2015 and received over 100 responses on best practices, Framework use, and suggestions for long term use of the Framework.
NIST also held a workshop during which industry stakeholders provided a number of case studies and shared their best practices. Workshop participants also provided their own analyses on how they have used the Framework. The comments and feedback have been assessed and NIST will use the information to refine the Framework.
One of NIST’s main aims was to determine how the Framework should evolve and how it should be maintained. While a number of stakeholders provided opinions in this regard, many felt that it was too soon to implement a new governance structure.
The NIST Cybersecurity Framework update will include new Framework governance methodology, and NIST will also “institutionalize the process of Framework maintenance and evolution.” The changes will be minimal and it is hoped that they will not disrupt current Framework users.
Something that will prove particularly useful to institutions that have already adopted the Framework is the self-assessment criteria that NIST is currently developing. NIST will include this in the update to allow organizations to gain a better understanding of cybersecurity risk management business processes.
NIST wants to encourage the sharing of best practices and Framework resources, and will welcome case studies from stakeholders and summaries of use. NIST suggested that stakeholders customize the Framework for their industry sector and promote the Framework with related industry sectors and communities.
Healthcare organizations have said they have benefited greatly from adopting the Framework and have been able to improve cybersecurity protections. The OCR’s crosswalk between HIPAA and the NIST Framework has also been hugely beneficial, helping organizations to implement the Framework and ensure compliance with HIPAA Rules.