Editor’s Note: NIST’s complete Cybersecurity Framework Workshop Summary is available here. Below is an excerpt.
From: NIST
The majority of Framework stakeholders that offered views felt that NIST should update the Framework, in some respect, in the near term. Many RFI respondents and workshop participants desired additional guidance on how to implement outcomes and activities outlined in the Framework. These comments focused on Profile development, gap assessment, risk assessment, and Framework implementation assessments. Additionally, many RFI respondents and workshop participants desired examples of use that incorporate Framework Roadmap topics. Many participants advocated for a NIST-sponsored ecosystem to facilitate examples and results sharing between organizations. To alleviate regulatory concerns, participants felt that NIST should facilitate the Framework’s role as non-mandatory guidance suitable for enhancing cybersecurity across multiple sectors by mapping various sector regulations to the Framework Core.
RFI respondents and workshop participants commonly expressed concern regarding the Framework Tiers and what they perceived as a lack of clarity about how the tiers should be utilized in following the Framework’s approach. NIST was encouraged to explore alternate methods of addressing organizational capability and maturity. RFI respondents and workshop participants also recognized there could be a potential impact to current implementations of the Framework associated with new updates and urged strongly that any updates to the Framework be made mindful of the need to minimize disruption to the ecosystem. This was one of the clearest takeaways from the feedback provided to NIST.
Leave a Reply