The update will include a focus on supply chains for both hardware and software.
The National Institute of Standards and Technology is preparing to again update a document that has long been at the center of federal cybersecurity policy with a request for information expected early next year, according to officials from the agency.
NIST’s Cybersecurity Framework has only been updated once since it was published in 2014. But with the evolution of large-scale cyberattacks affecting the federal enterprise over the last year, as well as the emergence of new technologies, has the agency revisiting the landmark document.
“It's no surprise to anybody here, we're operating in a very dynamic environment,” said Kevin Stine, chief of the applied cybersecurity division of NIST’s Information Technology Laboratory. “There are plenty of opportunities for us to improve the cybersecurity framework based on the changing threat landscape, based on evolutions of technologies and the different practices capabilities we all are trying to leverage and take advantage of, and really—I'd say almost just as importantly—based on the experiences of organizations that have used the cybersecurity framework.”
Stine spoke during a meeting of the agency’s Information Security and Privacy Advisory Board Wednesday. He said the RFI will be based on three question areas: Whether there are new features to consider for helping organizations better manage their risks, opportunities to align the CSF with other resources both internally and externally, and challenges organizations are facing from a technology supply chain perspective.
“We're very conscious of the types and the volume of resources that we issue and we want to make sure that the things that we produce actually do provide value and are aligned and harmonize as much as possible with the other resources that we produce,” he said, adding that includes “making sure that the things that we're providing, either new starts, or updates to existing resources are taking advantage of and align nicely with with outside resources as well.”
On the supply-chain front, Stine said the inquiry will help inform a tasking Commerce Secretary Gina Raimondo issued on the heels of a White House cybersecurity summit in August.
As seen in Executive Order 14028, there has already been a large focus on improving cybersecurity through the software supply chain. Stine said the RFI will be toward a broader approach that will more closely examine hardware, firmware, information and operational technology as well.
“Almost every conversation we participate in today, and I'm sure many of you too, you know, it all comes back to different dimensions of supply chain,” he said.