Main Nav

EDUCAUSE Submits Comments to NIST on Cybersecurity Framework

EDUCAUSE submitted comments on behalf of the Higher Education Information Security Council (HEISC) to address several questions raised by a NIST Request for Information concerning standards, guidelines, or best practices that promote the protection of information and information systems.  You can also review all of the comments received.  The Request For Information (RFI) issued by the National Institute for Standards and Technology (NIST) was directed by the President under the Executive Order “Improving Critical Infrastructure Cybersecurity”.  NIST is working with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure.  The RFI, initial workshop, and a subsequent workshop to be held at Carnegie Mellon University are early steps in collecting information and engaging the private sector.

While colleges and universities are not deemed "critical infrastructure", HEISC participated because of the interdepencies with other owners and operators of critical infrastructures and the relevance of existing standards such as ISO 27002 and NIST 800-53.  In fact, the HEISC Information Security Guide is organized according to the ISO standard with cross-references to NIST, COBIT, and PCI DSS.  Additionally, the RFI explains:

While the Framework will be focused on critical infrstructure, given the broad diversity of sectors that may include parts of critical infrastructure, the evolving nature of the classification of critical infrastructure based on risk, and the intention to involve a broad set of stakeholders in development of the Framework, the RFI will generally use the broader term "organizations" when seeking information.

The goals of the Framework development process will be:

  1. to identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increasee the security of critical infrastructure sectors and other interested entities;
  2. to specify high-priority gaps for which new or revised standards are needed; and
  3. to collaboratively develop action plans by which these gaps can be addressed.


Within eight months NIST intends to publish for additional comment a draft Framework that clearly outlines areas of focus and provides preliminary lists of standards, guidelines, and best practices that fall within that outline.  The draft will also include initial conclusions for additional public comment.



Tags from the EDUCAUSE Library