NIST Refreshing Voluntary Cybersecurity Framework Amid Push for Mandates

Dana Romanoff/Getty Images

The agency is soliciting comments to update a core document that lets entities pick and choose which technical standards they want to apply to their systems based on their own risk assessment.

The National Institute of Standards and Technology wants to know how it might improve its landmark framework of cybersecurity standards and practices and streamline similar efforts related to particular issues like privacy and supply-chain security.

“Every organization needs to manage cybersecurity risk as a part of doing business, whether it is in industry, government or academia,” said Commerce Deputy Secretary Don Graves in a news bulletin NIST published Tuesday. “It is critical to their resilience and to our nation’s economic security. There are many tools available to help, and the CSF is one of the leading frameworks for private sector cybersecurity maintenance. We want private and public sector organizations to help make it even more useful and widely used, including by small companies.” 

The NIST CSF emerged in 2014 under an executive order from President Barack Obama as a way to guide the private-sector entities that control the vast majority of our critical infrastructure, without forcing them to do anything. Cybersecurity was seen as its own incentive for companies’ motivation to adopt it to whatever degree they see fit.

“The resulting framework, created through public-private collaboration, provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses,” reads NIST’s original press release of the CSF.

Seven years later, another executive order—14208, which President Joe Biden issued in May following a string of massive hacks—suggests a need for potential changes to Federal Acquisition Regulations, especially given the trend of adversaries targeting victims' underlying supply chains and getting an exponentially bigger bang for their buck. Where possible—at the Transportation and Security Administration, for example, the administration has also issued directives with specific cybersecurity practices companies must follow under threat of fines.

NIST is accepting comments on the framework through April, 25, and, among other things, is seeking “suggestions for improving alignment or integration of the Cybersecurity Framework with other NIST risk management resources.” Those other resources include NIST frameworks on risk management, privacy, secure software development, the internet of things and the cybersecurity workforce. 

NIST is also specifically asking for comment on whether it should be looking to create a whole other framework for supply chain management, or whether those practices should be incorporated into the CSF.