82 FR 8408 - Proposed Update to the Framework for Improving Critical Infrastructure Cybersecurity
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology Federal Register Volume 82, Issue 15 (January 25, 2017)
National Institute of Standards and Technology
Federal Register Volume 82, Issue 15 (January 25, 2017)
| Page Range | 8408-8409 | |
| FR Document | 2017-01599 |
[Federal Register Volume 82, Number 15 (Wednesday, January 25, 2017)] [Notices] [Pages 8408-8409] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2017-01599] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Institute of Standards and Technology Proposed Update to the Framework for Improving Critical Infrastructure Cybersecurity AGENCY: National Institute of Standards and Technology, Commerce. ACTION: Notice, request for comments. ----------------------------------------------------------------------- SUMMARY: The National Institute of Standards and Technology (NIST) requests comments on a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (the ``Framework''). The voluntary Framework consists of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Framework was published on February 12, 2014, after a year-long, open process involving private and public sector organizations, including extensive input and public comments. It has been used with increasing frequency and in a variety of ways by organizations of all sizes, areas of interest, and based inside and outside the United States. This Request for Comments (RFC) is meant to facilitate coordination with, ``private sector personnel and entities, critical infrastructure owners and operators, and other relevant industry organizations'' as directed by the Cybersecurity Enhancement Act of 2014.\1\ The proposed update to the Framework is available for review at http://www.nist.gov/cyberframework. Responses to this RFC will be posted at http://www.nist.gov/cyberframework and will inform NIST's planned update to the Framework. --------------------------------------------------------------------------- \1\ See 15 U.S.C. 272(e)(1)(A)(i). The Cybersecurity Enhancement Act of 2014 (S.1353) became public law 113-274 on December 18, 2014 and may be found at: https://www.congress.gov/bill/113th-congress/senate-bill/1353/text. DATES: Comments must be received by 5:00 p.m. Eastern time on April 10, --------------------------------------------------------------------------- 2017. ADDRESSES: Written comments may be submitted by mail to Edwin Games, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899. Online submissions in electronic form may be sent to [email protected] in any of the following formats: HTML; ASCII; Word; RTF; or PDF. Please submit comments only and include your name, organization's name (if any), and cite ``Comments on Draft Update of the Framework for Improving Critical Infrastructure Cybersecurity'' in all correspondence. Comments containing references, studies, research, and other empirical data that are not widely published should include copies of the referenced materials. The proposed update to the Framework is available for review at http://www.nist.gov/cyberframework. All comments received in response to this RFC will be posted at http://www.nist.gov/cyberframework without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information). Comments that contain profanity, vulgarity, threats, or other inappropriate language will not be posted or considered. [[Page 8409]] FOR FURTHER INFORMATION CONTACT: For questions about this RFC contact: Adam Sedgewick, U.S. Department of Commerce, 1401 Constitution Avenue NW., Washington, DC 20230, telephone (202) 482-0788, email [email protected]. Please direct media inquiries to NIST's Office of Public Affairs at (301) 975-2762. SUPPLEMENTARY INFORMATION: The national and economic security of the United States depends on the reliable functioning of critical infrastructure,\2\ which has become increasingly dependent on information technology. Cyber attacks and publicized weaknesses reinforce the need for improved capabilities for defending against malicious cyber activity. This is a long-term challenge. --------------------------------------------------------------------------- \2\ For the purposes of this RFC the term ``critical infrastructure'' has the meaning given the term in 42 U.S.C. 5195c(e): ``systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.'' --------------------------------------------------------------------------- The Secretary of Commerce was tasked to direct the Director of NIST to lead the development of a voluntary framework to reduce cyber risks to critical infrastructure (the ``Framework'').\3\ The Framework consists of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks. The Framework was developed by NIST using information collected through the Request for Information (RFI) that was published in the Federal Register on February 25, 2013 (78 FR 13024), a series of open public workshops, and a 45-day public comment period announced in the Federal Register on October 29, 2013 (78 FR 64478). It was published on February 12, 2014, after a year-long, open process involving private and public sector organizations, including extensive input and public comments, and announced in the Federal Register on February 18, 2014 (79 FR 9167). Responses to subsequent RFIs, as announced through the Federal Register (79 FR 50891 and 80 FR 76934), and workshops encouraged NIST to update the Framework. --------------------------------------------------------------------------- \3\ See Executive Order 13636, Improving Critical Infrastructure Cybersecurity (Feb. 12, 2013), https://www.thefederalregister.org/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf. The Cybersecurity Framework may be found at: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf. --------------------------------------------------------------------------- The Cybersecurity Framework incorporates voluntary consensus standards and industry best practices to the fullest extent possible and is consistent with voluntary international consensus-based standards when such international standards advance the objectives of the Cybersecurity Enhancement Act of 2014. The Framework is designed for compatibility with existing regulatory authorities and regulations, although it is intended for voluntary adoption. Given the diversity of sectors in the Nation's critical infrastructure, the Framework development process was designed to build on cross-sector security standards and guidelines that are immediately applicable or likely to be applicable to critical infrastructure. The process also was intended to increase visibility and use of those standards and guidelines, and to find potential areas for improvement (e.g., where standards/guidelines are nonexistent) that need to be addressed through future collaboration with industry and industry-led standards bodies. While the focus of the Framework is on the Nation's critical infrastructure, it was developed in a manner to promote wide adoption of practices to increase risk management-based cybersecurity across all industry sectors and by all types of organizations. NIST has worked closely with industry groups, associations, non- profits, government agencies, and international standards bodies to increase awareness of the Framework. NIST has promoted the use of the Framework as a basic, flexible, and adaptable tool for managing and reducing cybersecurity risks. The Framework was designed as a communication tool. It is applicable for leaders at all levels of an organization. For these reasons, NIST has engaged a wide diversity of stakeholders in Framework education. NIST has also issued several RFIs, held workshops, and encouraged direct communication with potential and current users of the Framework. Based on the information received from the public via these channels and the work that it has carried out on cybersecurity-- including its collaborative efforts with the private sector--NIST has developed a draft update of the Framework (termed ``Version 1.1'' or ``V1.1''), available at http://www.nist.gov/cyberframework. This draft update seeks to clarify, refine, and enhance the Framework, and make it easier to use, while retaining its flexible, voluntary, and cost- effective nature. The update also will be fully compatible with the February 2014 version of the Framework in that either version may be used by organizations without degrading communication or functionality. Request for Comments NIST is soliciting public comments on this proposed update. Specifically, NIST is interested in comments that address updated features of the Framework. These features seek to:Clarify Implementation Tier use and relationship to Profiles, Enhance guidance for applying the Framework for supply chain risk management, Provide guidance on metrics and measurements using the Framework, Update the FAQs to support understanding and use of Framework, and Update the Informative References. NIST also will consider comments on other aspects of the Framework update. All comments will be made available to the public. These comments will be analyzed and will be one focus of a public workshop to be held in May 2017. Details about that workshop, which also will feature user experiences with the Framework, will be announced on the NIST Cybersecurity Framework Web site at: https://www.nist.gov/cyberframework. To receive notice about the workshop, please contact: [email protected]. After the May 2017 workshop and considering the comments received on this draft update, NIST intends to issue a final version of Framework V1.1 along with an updated Roadmap \4\ document that describes recommended activities in work areas that are related and complimentary to the Framework. --------------------------------------------------------------------------- \4\ The Cybersecurity Framework Roadmap may be found at: https://www.nist.gov/sites/default/files/documents/cyberframework/roadmap-021214.pdf. Kevin Kimball, NIST Chief of Staff. [FR Doc. 2017-01599 Filed 1-24-17; 8:45 am] BILLING CODE 3510-13-P
![Federal Register / Vol. 82, No. 15 / Wednesday, January 25, 2017 / Notices 8409
FOR FURTHER INFORMATION CONTACT: For consensus-based standards when such Request for Comments
questions about this RFC contact: Adam international standards advance the NIST is soliciting public comments on
Sedgewick, U.S. Department of objectives of the Cybersecurity this proposed update. Specifically, NIST
Commerce, 1401 Constitution Avenue Enhancement Act of 2014. The is interested in comments that address
NW., Washington, DC 20230, telephone Framework is designed for compatibility updated features of the Framework.
(202) 482–0788, email with existing regulatory authorities and These features seek to:
Adam.Sedgewick@nist.gov. Please direct regulations, although it is intended for • Clarify Implementation Tier use
media inquiries to NIST’s Office of voluntary adoption. and relationship to Profiles,
Public Affairs at (301) 975–2762. Given the diversity of sectors in the • Enhance guidance for applying the
SUPPLEMENTARY INFORMATION: The Nation’s critical infrastructure, the Framework for supply chain risk
national and economic security of the Framework development process was management,
United States depends on the reliable designed to build on cross-sector • Provide guidance on metrics and
functioning of critical infrastructure,2 security standards and guidelines that measurements using the Framework,
which has become increasingly are immediately applicable or likely to • Update the FAQs to support
dependent on information technology. be applicable to critical infrastructure. understanding and use of Framework,
Cyber attacks and publicized The process also was intended to and
weaknesses reinforce the need for increase visibility and use of those • Update the Informative References.
improved capabilities for defending standards and guidelines, and to find NIST also will consider comments on
against malicious cyber activity. This is potential areas for improvement (e.g., other aspects of the Framework update.
a long-term challenge. where standards/guidelines are All comments will be made available to
The Secretary of Commerce was nonexistent) that need to be addressed the public. These comments will be
tasked to direct the Director of NIST to through future collaboration with analyzed and will be one focus of a
lead the development of a voluntary industry and industry-led standards public workshop to be held in May
framework to reduce cyber risks to bodies. 2017. Details about that workshop,
critical infrastructure (the While the focus of the Framework is
which also will feature user experiences
‘‘Framework’’).3 The Framework on the Nation’s critical infrastructure, it
with the Framework, will be announced
consists of standards, methodologies, was developed in a manner to promote
on the NIST Cybersecurity Framework
procedures and processes that align wide adoption of practices to increase
Web site at: https://www.nist.gov/
risk management-based cybersecurity
policy, business, and technological cyberframework. To receive notice about
across all industry sectors and by all
approaches to address cyber risks. The the workshop, please contact:
types of organizations.
Framework was developed by NIST NIST has worked closely with cyberframework@nist.gov.
using information collected through the industry groups, associations, non- After the May 2017 workshop and
Request for Information (RFI) that was profits, government agencies, and considering the comments received on
published in the Federal Register on international standards bodies to this draft update, NIST intends to issue
February 25, 2013 (78 FR 13024), a increase awareness of the Framework. a final version of Framework V1.1 along
series of open public workshops, and a NIST has promoted the use of the with an updated Roadmap 4 document
45-day public comment period Framework as a basic, flexible, and that describes recommended activities
announced in the Federal Register on adaptable tool for managing and in work areas that are related and
October 29, 2013 (78 FR 64478). It was reducing cybersecurity risks. The complimentary to the Framework.
published on February 12, 2014, after a Framework was designed as a Kevin Kimball,
year-long, open process involving communication tool. It is applicable for
private and public sector organizations, NIST Chief of Staff.
leaders at all levels of an organization. [FR Doc. 2017–01599 Filed 1–24–17; 8:45 am]
including extensive input and public For these reasons, NIST has engaged a
comments, and announced in the wide diversity of stakeholders in
BILLING CODE 3510–13–P
Federal Register on February 18, 2014 Framework education. NIST has also
(79 FR 9167). Responses to subsequent issued several RFIs, held workshops,
RFIs, as announced through the Federal and encouraged direct communication CONSUMER PRODUCT SAFETY
Register (79 FR 50891 and 80 FR with potential and current users of the COMMISSION
76934), and workshops encouraged Framework. [Docket No. CPSC–2010–0055]
NIST to update the Framework. Based on the information received
The Cybersecurity Framework from the public via these channels and Agency Information Collection
incorporates voluntary consensus the work that it has carried out on Activities; Proposed Collection;
standards and industry best practices to cybersecurity—including its Comment Request; Standard for the
the fullest extent possible and is collaborative efforts with the private Flammability of Mattresses and
consistent with voluntary international sector—NIST has developed a draft Mattress Pads and Standard for the
update of the Framework (termed Flammability (Open Flame) of Mattress
2 For the purposes of this RFC the term ‘‘critical
‘‘Version 1.1’’ or ‘‘V1.1’’), available at Sets
infrastructure’’ has the meaning given the term in
42 U.S.C. 5195c(e): ‘‘systems and assets, whether http://www.nist.gov/cyberframework.
This draft update seeks to clarify, refine, AGENCY: Consumer Product Safety
physical or virtual, so vital to the United States that
the incapacity or destruction of such systems and and enhance the Framework, and make Commission.
assets would have a debilitating impact on security, it easier to use, while retaining its ACTION: Notice.
mstockstill on DSK3G9T082PROD with NOTICES
national economic security, national public health
or safety, or any combination of those matters.’’ flexible, voluntary, and cost-effective
SUMMARY: As required by the Paperwork
3 See Executive Order 13636, Improving Critical nature. The update also will be fully
Reduction Act of 1995, the Consumer
Infrastructure Cybersecurity (Feb. 12, 2013), https:// compatible with the February 2014
www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013- Product Safety Commission (CPSC, or
version of the Framework in that either
03915.pdf. The Cybersecurity Framework may be
found at: https://www.nist.gov/sites/default/files/
version may be used by organizations 4 The Cybersecurity Framework Roadmap may be
documents/cyberframework/cybersecurity- without degrading communication or found at: https://www.nist.gov/sites/default/files/
framework-021214.pdf. functionality. documents/cyberframework/roadmap-021214.pdf.
VerDate Sep<11>2014 20:29 Jan 24, 2017 Jkt 241001 PO 00000 Frm 00014 Fmt 4703 Sfmt 4703 E:\FR\FM\25JAN1.SGM 25JAN1](https://thefederalregister.org/doc/82_FR_8423/page/2.svg)
Document Created: 2017-01-25 00:09:07
Document Modified: 2017-01-25 00:09:07
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice, request for comments. | |
| Dates | Comments must be received by 5:00 p.m. Eastern time on April 10, | |
| Contact | For questions about this RFC contact: Adam Sedgewick, U.S. Department of Commerce, 1401 Constitution Avenue NW., Washington, DC 20230, telephone (202) 482-0788, email [email protected] Please direct media inquiries to NIST's Office of Public Affairs at (301) 975-2762. | |
| FR Citation | 82 FR 8408 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR