Main Nav

NIST Posts Initial Analysis of Comments on Cybersecurity Framework

The National Institute of Standards and Technology (NIST) announced that it has prepared an initial analysis of hundreds of comments submitted by industry and the public related to the President's "Improving Critical Infrastructure Cybersecurity" Executive Order issued in February.  NIST is making the initial analysis available as a status update and to provide background for a workshop later this month to discuss the Cybersecurity Framework.  The workshop will be held at Carnegie Mellon University on May 29-31, 2013.  

EDUCAUSE submitted comments to the 33 questions in the Request for Information.  While supporting the proposition that a modern cybersecurity framework of standards, guidelines, and best practices would be helpful for the higher education community, EDUCAUSE warned that the diversity of size and type of higher education institutions will require flexibility for how a framework designed for critical infrastructures might be applied to the non-profit, educational sector.  Additionally, the resulting framework must be easy to adopt and not overly complex for higher education institutions to embrace it.

The EDUCAUSE comments are also supported in the initial analysis that sets forth some Principles - characteristics and considerations that the Framework must embrace:

  • Flexibility - the framework can be applied across multiple sectors and across the diverse group of stakeholders
  • Impact on Global Operations - impacts of the framework on global and international operations
  • Risk Management Approaches - the framework should encourage the use of risk-based approaches rather than compliance-based approaches
  • Leveraging Existing Approaches, Standards, and Best Practices - the framework should leverage existing risk management approaches, standards, and best practices.  Owners/operators should not have to manage overlapping or duplicative approaches, dual standards and conflicting requirements.

A new Request for Comment is expected in the Fall after NIST takes into account all that it learns from the comments and the workshops.