NIST moves to upgrade cybersecurity framework, solicits public for feedback

National Institute of Standards and Technology wants info on how the Framework is being used to improve cybersecurity within organizations.
By Tom Sullivan
03:26 PM

The National Institute of Standards and Technology plans to ratchet up its two-year-old security offering, dubbed the Framework for Improving Critical Infrastructure Cybersecurity, and has put out a public call for user feedback.

NIST first released Version 1.0 in February 2014. It is among a handful of best practices, guidance standards gaining purchase in healthcare, including HITRUST Common Security Framework, ISO/IEC 27002, Control Objectives for Information Technology (COBIT).

"NIST requests information about the variety of ways in which the Framework is being used to improve cybersecurity risk management, how best practices for using the Framework are being shared, the relative value of different parts of the Framework, the possible need for an update of the Framework, and options for the long-term governance of the Framework," according to a Request for Information published in the Federal Register.

[See also: Cybersecurity strategies evolving in face of big risk.]

Responses will contribute to shaping NIST's decision-making about how to strengthen the framework and, ideally, the nation's critical infrastructure.

"Where we'd like to get to eventually is institutionalizing cybersecurity and then operationalizing it," NIST fellow Ron Ross said earlier this month at the Healthcare IT News Privacy and Security Forum in Boston.

Ross added that the healthcare industry cannot continue to be reactive but, instead, must apply science and engineering to the security problems the industry faces.

NIST is also planning a workshop related to the request for information and the framework's future on April 6 and 7, 2016, in Gaithersburg, Maryland, but did not give specifics for the event. The comment period closes on February 9, 2016 at 5 p.m. EST.

Twitter: @SullyHIT