The importance of informed and more capable cybersecurity risk management continues to grow for all organizations. In accordance with President Obama’s Executive Order 13636, the National Institute of Standards and Technology (NIST) utilized a year-long consultative process with stakeholders to create the Framework for Improving Critical Infrastructure Cybersecurity (the Framework). Released in February 2014, the Framework consists of a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
In December 2015, carrying out its role as further defined in the Cybersecurity Enhancement Act of 2014, NIST issued a request for information (RFI). This RFI solicited feedback regarding Cybersecurity Framework use, how best practices for using the Framework are shared, the possible need for an update of the Framework, and options for its long-term governance. NIST received and analyzed 105 responses. In addition, NIST held a workshop in Gaithersburg, MD, on April 6-7, 2016, to encourage additional feedback from stakeholders on the Framework, including case studies, best practice sharing, analysis of items from the NIST Roadmap for Improving Critical Infrastructure Cybersecurity, and the Framework’s further development. Approximately 800 individuals from across the country and around the world participated in the workshop both in person at the NIST Gaithersburg, Maryland campus and via webcast.
This document highlights the most prevalent themes and findings from the December 2015 request for information (RFI), Views on the Framework for Improving Critical Infrastructure Cybersecurity, which were validated by the workshop participants. It summarizes areas of agreement as well as issues in which there is a diversity of opinion or a lack of solid information. Based on feedback provided, this document also describes NIST’s plans and recommended private sector
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program