recommended reading

Industry Urges Changes to NIST Framework Update


The government’s cyber standards agency should add a section to its cybersecurity framework promoting best practices for organizations to receive digital vulnerability reports from security researchers, a coalition of cyber companies and advocacy groups said Monday.

That section should include processes for receiving, reviewing and responding to vulnerability disclosures, according to the comments signed by cybersecurity firms Symantec, Tenable and Rapid7 as well as digital rights group including the Electronic Frontier Foundation, the Center for Democracy and Technology and New America’s Open Technology Institute, among others.

The comments came in response to a request for public feedback on the framework update from the National Institute of Standards and Technology.

NIST released its cybersecurity framework to great fanfare in 2014. It’s essentially a best-practices guide for industry to ensure its cybersecurity practices are up to snuff. The framework has been adopted in some form by about 30 percent of U.S. companies since its release and that number is expected to reach around 50 percent by 2020.

NIST officials have described the update as a 1.1 version that will respond to changes in the cyber landscape and feedback from industry since the framework’s initial release.

“Establishing a coordinated vulnerability disclosure and handling process—and communicating the existence and scope of that policy publicly—can help organizations quickly detect and respond to vulnerabilities disclosed to them by external sources, leading to mitigations that enhance the security, data privacy and safety of their systems,” the organizations said.

Numerous organizations rushed to comment on the framework update ahead of a Monday deadline. NIST expects to hold more public meetings on the framework update before releasing a final version in fall of 2017.

The cybersecurity firms Intel and McAfee critiqued several parts of the update, saying they’re not fleshed out enough to be useful yet, especially a section on “measuring and demonstrating cybersecurity.”

The U.S. Chamber of Commerce also expressed concerns about the metrics section, saying it could leave companies confused about how and when regulators could access their cybersecurity data.

The National Association of Federally-Insured Credit Unions warned the increased focus on measures and metrics might be a poor fit for heavily regulated organizations such as credit unions working with sector-specific measurements.  

Chamber members are also concerned policymakers will use efforts to monitor industry adoption of the framework as an invitation to mandate framework use in particular sectors, the business organization said.

NIST officials have regularly stressed the framework should be flexible and voluntary, but lawmakers and other executive branch officials have sometimes discussed making portions of it mandatory for some regulated sectors. A leaked draft of a Trump administration executive order on cybersecurity contemplated making framework compliance mandatory for government agencies.

The chamber also suggested the government create metrics to measure how well it is deterring criminals and adversary nations from targeting U.S. organizations with cyberattacks.

Intel and McAfee also suggested a more international focus for the framework and a standardized process for updating certain elements of the framework without re-issuing the entire thing.

The companies urged against including recommendations specific to government agencies, saying that might inhibit the framework being used as widely as possible.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.