Experience With the Framework for Improving Critical Infrastructure Cybersecurity, 50891-50894 [2014-20315]

Download as PDF Federal Register / Vol. 79, No. 165 / Tuesday, August 26, 2014 / Notices DEPARTMENT OF COMMERCE National Institute of Standards and Technology Manufacturing Extension Partnership Advisory Board National Institute of Standards and Technology, Commerce. ACTION: Notice of Open Meeting. AGENCY: The National Institute of Standards and Technology (NIST) announces that the Manufacturing Extension Partnership (MEP) Advisory Board will hold an open meeting on Thursday, September 18, 2014 from 8:30 a.m. to 5:00 p.m. Eastern Time. DATES: The meeting will be held Thursday, September 18, 2014, from 8:30 a.m. to 5:00 p.m. Eastern Time. ADDRESSES: The meeting will be held at NIST, 100 Bureau Drive, Gaithersburg, MD 20899. Please note admittance instructions in the SUPPLEMENTARY INFORMATION section below. FOR FURTHER INFORMATION CONTACT: Kari Reidy, Manufacturing Extension Partnership, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 4800, Gaithersburg, Maryland 20899–4800, telephone number (301) 975–4919, email: Kari.reidy@nist.gov. SUMMARY: The MEP Advisory Board (Board) is authorized under Section 3003(d) of the America COMPETES Act (Pub. L. 110–69); codified at 15 U.S.C. 278k(e), as amended, in accordance with the provisions of the Federal Advisory Committee Act, as amended, 5 U.S.C. App. The Board is composed of 10 members, appointed by the Director of NIST. Hollings MEP is a unique program, consisting of centers across the United States and Puerto Rico with partnerships at the state, federal, and local levels. The Board provides a forum for input and guidance from Hollings MEP program stakeholders in the formulation and implementation of tools and services focused on supporting and growing the U.S. manufacturing industry, provides advice on MEP programs, plans, and policies, assesses the soundness of MEP plans and strategies, and assesses current performance against MEP program plans. Background information on the Board is available at http://www.nist.gov/mep/ advisory-board.cfm. Pursuant to the Federal Advisory Committee Act, as amended, 5 U.S.C. App., notice is hereby given that the MEP Advisory Board will hold an open tkelley on DSK3SPTVN1PROD with NOTICES SUPPLEMENTARY INFORMATION: VerDate Mar<15>2010 21:48 Aug 25, 2014 Jkt 232001 meeting on Thursday, September 18, 2014 from 8:30 a.m. to 5:00 p.m. Eastern Time. This meeting will focus on (1) the MEP Advisory Board’s review of the plans for implementing the recently adopted NIST MEP Strategic plan, (2) overview of Hollings MEP export initiatives and partnerships, and (3) an update on NIST Hollings MEP system competitions. The final agenda will be posted on the MEP Advisory Board Web site at http://www.nist.gov/mep/ advisory-board.cfm. Admittance Instructions: Anyone wishing to attend this meeting should submit their name, email address and phone number to Kari Reidy (Kari.reidy@nist.gov or 301–975–4919) no later than Thursday, September 11, 2014, 5:00 p.m. Eastern Time. Non-U.S. citizens must submit additional information; please contact Ms. Reidy. All attendees must pre-register in order to be admitted to the NIST campus. Also, please note that under the REAL ID Act of 2005 (Pub. L. 109–13), federal agencies, including NIST, can only accept a state-issued driver’s license or identification card for access to federal facilities if issued by states that are REAL ID compliant or have an extension. NIST also currently accepts other forms of federal-issued identification in lieu of a state-issued driver’s license. For detailed information please contact Ms. Reidy or visit: http://www.nist.gov/ public_affairs/visitor/. Individuals and representatives of organizations who would like to offer comments and suggestions related to the MEP Advisory Board’s business are invited to request a place on the agenda. Approximately 15 minutes will be reserved for public comments at the beginning of the meeting. Speaking times will be assigned on a first-come, first-served basis. The amount of time per speaker will be determined by the number of requests received but is likely to be no more than three to five minutes each. The exact time for public comments will be included in the final agenda that will be posted on the MEP Advisory Board Web site as http:// www.nist.gov/mep/advisory-board.cfm. Questions from the public will not be considered during this period. Speakers who wish to expand upon their oral statements, those who had wished to speak but could not be accommodated on the agenda, and those who were unable to attend in person are invited to submit written statements to the MEP Advisory Board, National Institute of Standards and Technology, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 4800, Gaithersburg, Maryland 20899–4800, or PO 00000 Frm 00008 Fmt 4703 Sfmt 4703 50891 via fax at (301) 963–6556, or electronically by email to kari.reidy@nist.gov Dated: August 11, 2014. Phillip Singerman, Associate Director for Innovation & Industry Services. [FR Doc. 2014–20304 Filed 8–25–14; 8:45 am] BILLING CODE 3510–13–P DEPARTMENT OF COMMERCE National Institute of Standards and Technology [Docket Number: 140721609–4609–01] Experience With the Framework for Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology, U.S. Department of Commerce. ACTION: Notice; Request for Information (RFI). AGENCY: The National Institute of Standards and Technology (NIST) requests information about the level of awareness throughout critical infrastructure organizations, and initial experiences with the Framework for Improving Critical Infrastructure Cybersecurity (the ‘‘Framework’’). As directed by Executive Order 13636, ‘‘Improving Critical Infrastructure Cybersecurity’’ (the ‘‘Executive Order’’), the Framework consists of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Framework was released on February 12, 2014, after a year-long, open process involving private and public sector organizations, including extensive input and public comments. Responses to this RFI—which will be posted at http://www.nist.gov/ cyberframework/cybersecurityframework-rfi.cfm—will inform NIST’s planning and decision-making about possible tools and resources to help organizations to use the Framework more effectively and efficiently. They will also help inform future versions of the Framework. The responses will also inform the Department of Homeland Security’s Critical Infrastructure Cyber Community C3 Voluntary Program. In addition, NIST is interested in receiving comments related to the Roadmap that accompanied publication of the Framework. All information provided will also assist in developing the agenda for a workshop on the Framework being planned for October 2014. SUMMARY: E:\FR\FM\26AUN1.SGM 26AUN1 50892 Federal Register / Vol. 79, No. 165 / Tuesday, August 26, 2014 / Notices Comments must be received by 5:00 p.m. Eastern time on October 10, 2014. DATES: Written comments may be submitted by mail to Diane Honeycutt, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899. Online submissions in electronic form may be sent to cyberframework@nist.gov in any of the following formats: HTML; ASCII; Word; RTF; or PDF. Please submit comments only and include your name, organization’s name (if any), and cite ‘‘Experience with the Framework for Improving Critical Infrastructure Cybersecurity’’ in all correspondence. Comments containing references, studies, research, and other empirical data that are not widely published should include copies of the referenced materials. All comments received in response to this RFI will be posted at http:// www.nist.gov/cyberframework/ cybersecurity-framework-rfi.cfm without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information). ADDRESSES: For questions about this RFI contact: Adam Sedgewick, U.S. Department of Commerce, 1401 Constitution Avenue NW., Washington, DC 20230, telephone (202) 482–0788, email Adam.Sedgewick@nist.gov. Please direct media inquiries to NIST’s Office of Public Affairs at (301) 975–2762. FOR FURTHER INFORMATION CONTACT: The national and economic security of the United States depends on the reliable functioning of critical infrastructure,1 which has become increasingly dependent on information technology. Recent cyber attacks and publicized weaknesses reinforce the need for improved capabilities for defending against malicious cyber activity. This will be a long-term challenge. Additional steps must be taken to enhance existing efforts to increase the protection and resilience of critical infrastructure, while maintaining a cyber environment that encourages efficiency, innovation, and economic prosperity while also protecting privacy and civil liberties. tkelley on DSK3SPTVN1PROD with NOTICES SUPPLEMENTARY INFORMATION: 1 For the purposes of this RFI the term ‘‘critical infrastructure’’ has the meaning given the term in 42 U.S.C. 5195c(e): ‘‘systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.’’ VerDate Mar<15>2010 21:48 Aug 25, 2014 Jkt 232001 By Executive Order,2 the Secretary of Commerce was tasked to direct the Director of the National Institute of Standards and Technology (NIST) to lead the development of a voluntary framework to reduce cyber risks to critical infrastructure (the ‘‘Framework’’).3 The Framework consists of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks. The Framework was developed by NIST using information collected through the RFI that was published in the Federal Register on February 25, 2013, a series of open public workshops, and a 45-day public comment period announced in the Federal Register on October 29, 2013. It was published on February 12, 2014, after a year-long, open process involving private and public sector organizations, including extensive input and public comments, and announced in the Federal Register (79 FR 9167) on February 18, 2014. Given the diversity of sectors in the Nation’s critical infrastructure, the Framework development process was designed to build on cross-sector security standards and guidelines that are immediately applicable or likely to be applicable to critical infrastructure, to increase visibility and adoption of those standards and guidelines, and to find potential areas for improvement (i.e., where standards/guidelines are nonexistent or where existing standards/guidelines are inadequate) that need to be addressed through future collaboration with industry and industry-led standards bodies. The Cybersecurity Framework incorporates voluntary consensus standards and industry best practices to the fullest extent possible and is consistent with voluntary international consensus-based standards when such international standards advance the objectives of the Executive Order. The Framework is designed for compatibility with existing regulatory authorities and regulations, although it is intended for voluntary adoption. While the focus of the Framework is on the Nation’s critical infrastructure, it was developed in a manner to promote wide adoption of practices to increase risk management-based cybersecurity across all industry sectors and by all types of organizations. NIST remains committed to helping organizations understand and use the 2 Exec. Order No. 13636, Improving Critical Infrastructure Cybersecurity, 78 FR 11739 (February 19, 2013). 3 https://www.federalregister.gov/articles/2014/ 02/18/2014-03495/ cybersecurity-framework. PO 00000 Frm 00009 Fmt 4703 Sfmt 4703 Framework. In the five-plus months since the document was published, NIST has reached out and responded to a large number of organizations to raise awareness, answer questions, and learn about their experiences with the Framework. NIST has worked closely with industry groups, associations, nonprofits, government agencies, and international standards bodies to increase awareness of the Framework. NIST has promoted the use of the Framework as a basic, flexible, and adaptable tool for managing and reducing cybersecurity risks, most frequently working in partnership with leaders at all levels of stakeholder organizations. While the initial focus was on crosssector needs, Section 8(b) of the Executive Order called on ‘‘Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.’’ NIST has participated in these and similar industry-government collaborative activities, in some cases serving in an advisory capacity. In the time since the Framework’s publication, NIST’s primary goal has been to raise awareness of the Framework and how it can be used to manage cyber risks, in order to assist industry sectors and organizations to gain experience with it. While NIST appreciates that widespread implementation of the Framework can only occur over time, NIST views extensive voluntary use as critical to achieving the goals of the Executive Order. For these reasons, NIST is interested in learning about individual companies’ and other organizations’ knowledge of and experiences with the Framework. NIST wants to better understand how companies and organizations in all critical infrastructure sectors are approaching and making specific use of the Framework, in accordance with Section 7(f) of the Executive Order. This includes learning about which aspects of the Framework have been helpful or challenging, and about whether and how the Framework has been used to modify and strengthen management of cyber risks. The RFI responses will also inform the Department of Homeland Security’s Critical Infrastructure Cyber Community C3 Voluntary Program.4 NIST understands that at this early stage the Framework may be used in a variety of ways, including: participation 4 http://www.us-cert.gov/ccubedvp. E:\FR\FM\26AUN1.SGM 26AUN1 Federal Register / Vol. 79, No. 165 / Tuesday, August 26, 2014 / Notices in a sector group that is reviewing how the Framework can best be implemented and coordinated with ongoing or planned initiatives; initial high-level review of an organization’s current management of cyber risk; and more intensive deployment as an organization’s guiding approach to managing its cyber risk. In addition to seeking comments from individual critical infrastructure owners and operators of all sizes and their representatives from sector and professional associations, NIST invites submissions from Federal agencies, state, local, territorial and tribal governments, standard-setting organizations,5 other members of industry, consumers, solution providers, and other stakeholders. tkelley on DSK3SPTVN1PROD with NOTICES Request for Information The following questions cover the major areas about which NIST seeks comment. They are not intended to limit the topics that may be addressed. Responses may include any topic believed to have implications for the degree of awareness and voluntary use and subsequent improvement of the Framework, regardless of whether the topic is included in this document. While the Framework and associated outreach activities by NIST have focused on critical infrastructure, given the broad diversity of sectors that may include parts of critical infrastructure and the intention to continue to involve a broad set of stakeholders in use and evolution of the Framework, the RFI generally uses the broader term ‘‘organizations’’ in seeking information. NIST is especially interested in comments that will help to determine the Framework’s usefulness and potential applicability across all critical infrastructure sectors. In addition, considering the interwoven nature of our Internet-based economy and society, information from and about organizations not included in critical infrastructure sectors also will be valuable. Comments containing references, studies, research, and other empirical data that are not widely published should include copies of the referenced materials. Do not include in comments or otherwise submit proprietary or confidential information, as all comments received in response to this RFI will be made available publically at http://www.nist.gov/cyberframework/ cybersecurity-framework-rfi.cfm. 5 As used herein, ‘‘standard-setting organizations’’ refers to the wide cross section of organizations that are involved in the development of standards and specifications, both domestically and abroad. VerDate Mar<15>2010 21:48 Aug 25, 2014 Jkt 232001 Current Awareness of the Cybersecurity Framework Recognizing the critical importance of widespread voluntary usage of the Framework in order to achieve the goals of the Executive Order, and that usage initially depends upon awareness, NIST solicits information about awareness of the Framework and its intended uses among organizations. 1. What is the extent of awareness of the Framework among the Nation’s critical infrastructure organizations? Six months after the Framework was issued, has it gained the traction needed to be a factor in how organizations manage cyber risks in the Nation’s critical infrastructure? 2. How have organizations learned about the Framework? Outreach from NIST or another government agency, an association, participation in a NIST workshop, news media? Other source? 3. Are critical infrastructure owners and operators working with sectorspecific groups, non-profits, and other organizations that support critical infrastructure to receive information and share lessons learned about the Framework? 4. Is there general awareness that the Framework: a. Is intended for voluntary use? b. Is intended as a cyber risk management tool for all levels of an organization in assessing risk and how cybersecurity factors into risk assessments? c. Builds on existing cybersecurity frameworks, standards, and guidelines, and other management practices related to cybersecurity? 5. What are the greatest challenges and opportunities—for NIST, the Federal government more broadly, and the private sector—to improve awareness of the Framework? 6. Given that many organizations and most sectors operate globally or rely on the interconnectedness of the global digital infrastructure, what is the level of awareness internationally of the Framework? 7. If your sector is regulated, do you think your regulator is aware of the Framework, and do you think it has taken any visible actions reflecting such awareness? 8. Is your organization doing any form of outreach or education on cybersecurity risk management (including the Framework)? If so, what kind of outreach and how many entities are you reaching? If not, does your organization plan to do any form of outreach or awareness on the Framework? 9. What more can and should be done to raise awareness? PO 00000 Frm 00010 Fmt 4703 Sfmt 4703 50893 Experiences With the Cybersecurity Framework NIST is seeking information on the experiences with, including but not limited to early implementation and usage of, the Framework throughout the Nation’s critical infrastructure. NIST seeks information from and about organizations that have had direct experience with the Framework. Please provide information related to the following: 1. Has the Framework helped organizations understand the importance of managing cyber risk? 2. Which sectors and organizations are actively planning to, or already are, using the Framework, and how? 3. What benefits have been realized by early experiences with the Framework? 4. What expectations have not been met by the Framework and why? Specifically, what about the Framework is most helpful and why? What is least helpful and why? 5. Do organizations in some sectors require some type of sector specific guidance prior to use? 6. Have organizations that are using the Framework integrated it with their broader enterprise risk management program? 7. Is the Framework’s approach of major components—Core, Profile, and Implementation Tiers—reasonable and helpful? 8. Section 3.0 of the Framework (‘‘How to Use the Framework’’) presents a variety of ways in which organizations can use the Framework. a. Of these recommended practices, how are organizations initially using the Framework? b. Are organizations using the Framework in other ways that should be highlighted in supporting material or in future versions of the Framework? c. Are organizations leveraging Section 3.5 of the Framework (‘‘Methodology to Protect Privacy and Civil Liberties’’) and, if so, what are their initial experiences? If organizations are not leveraging this methodology, why not? d. Are organizations changing their cybersecurity governance as a result of the Framework? e. Are organizations using the Framework to communicate information about their cybersecurity risk management programs—including the effectiveness of those programs—to stakeholders, including boards, investors, auditors, and insurers? f. Are organizations using the Framework to specifically express cybersecurity requirements to their partners, suppliers, and other third parties? E:\FR\FM\26AUN1.SGM 26AUN1 50894 Federal Register / Vol. 79, No. 165 / Tuesday, August 26, 2014 / Notices 9. Which activities by NIST, the Department of Commerce overall (including the Patent and Trademark Office (PTO); National Telecommunications and Information Administration (NTIA); and the Internet Policy Taskforce (IPTF)) or other departments and agencies could be expanded or initiated to promote implementation of the Framework? 10. Have organizations developed practices to assist in use of the Framework? Roadmap for the Future of the Cybersecurity Framework NIST published a Roadmap 6 in February 2014 detailing some issues and challenges that should be addressed in order to improve future versions of the Framework. Information is sought to answer the following questions: 1. Does the Roadmap identify the most important cybersecurity areas to be addressed in the future? 2. Are key cybersecurity issues and opportunities missing that should be considered as priorities, and if so, what are they and why do they merit special attention? 3. Have there been significant developments—in the United States or elsewhere—in any of these areas since the Roadmap was published that NIST should be aware of and take into account as it works to advance the usefulness of the Framework? Dated: August 21, 2014. Willie E. May, Associate Director for Laboratory Programs. [FR Doc. 2014–20315 Filed 8–25–14; 8:45 am] BILLING CODE 3510–13–P DEPARTMENT OF COMMERCE National Telecommunications and Information Administration Commerce Spectrum Management Advisory Committee Meeting National Telecommunications and Information Administration, U.S. Department of Commerce. ACTION: Notice of Open Meeting. AGENCY: This notice announces a public meeting of the Commerce Spectrum Management Advisory Committee (Committee). The Committee provides advice to the Assistant Secretary of Commerce for Communications and Information and the National Telecommunications and Information Administration (NTIA) on spectrum management policy matters. tkelley on DSK3SPTVN1PROD with NOTICES SUMMARY: 6 http://www.nist.gov/cyberframework/upload/ roadmap-021214.pdf VerDate Mar<15>2010 21:48 Aug 25, 2014 Jkt 232001 The meeting will be held on October 9, 2014, from 1:00 p.m. to 4:00 p.m., Eastern Daylight Time. ADDRESSES: The meeting will be held at the U.S. Department of Commerce, 1401 Constitution Avenue NW., Room 4830, Washington, DC 20230. Public comments may be mailed to Commerce Spectrum Management Advisory Committee, National Telecommunications and Information Administration, 1401 Constitution Avenue NW., Room 4099, Washington, DC 20230 or emailed to BWashington@ntia.doc.gov. DATES: FOR FURTHER INFORMATION CONTACT: Bruce M. Washington, Designated Federal Officer, at (202) 482–6415 or BWashington@ntia.doc.gov; and/or visit NTIA’s Web site at http:// www.ntia.doc.gov/category/csmac. SUPPLEMENTARY INFORMATION: Background: The Committee provides advice to the Assistant Secretary of Commerce for Communications and Information on needed reforms to domestic spectrum policies and management in order to: License radio frequencies in a way that maximizes their public benefits; keep wireless networks as open to innovation as possible; and make wireless services available to all Americans. See Charter at http://www.ntia.doc.gov/otherpublication/2013/csmac-2013-charter. This Committee is subject to the Federal Advisory Committee Act (FACA), 5 U.S.C. App. 2, and is consistent with the National Telecommunications and Information Administration Act, 47 U.S.C. 904(b). The Committee functions solely as an advisory body in compliance with the FACA. For more information about the Committee visit: http://www.ntia.doc.gov/category/ csmac. Matters To Be Considered: The Committee will receive reports on the progress of the following subcommittees established to help NTIA develop new or revised strategies for responding more efficiently and effectively to fundamental technological, operational, and other trends to continue advancement of delivering spectrum products, services, and solutions that will support the ever-increasing demand for spectrum: 1. Enforcement 2. Transitional Sharing 3. General Occupancy Measurements and Quantification of Federal Spectrum Use 4. Spectrum Management via Databases 5. Federal Access to Non-federal Bands 6. Spectrum Sharing Cost Recovery Alternatives PO 00000 Frm 00011 Fmt 4703 Sfmt 4703 7. Industry and Government Collaboration NTIA will post a detailed agenda on its Web site, http://www.ntia.doc.gov/ category/csmac, prior to the meeting. To the extent that the meeting time and agenda permit, any member of the public may speak to or otherwise address the Committee regarding the agenda items. See Open Meeting and Public Participation Policy, available at http://www.ntia.doc.gov/category/ csmac. Time and Date: The meeting will be held on October 9, 2014, from 1:00 p.m. to 4:00 p.m., Eastern Daylight Time. The times and the agenda topics are subject to change. The meeting will be available via two-way audio link and may be webcast. Please refer to NTIA’s Web site, http://www.ntia.doc.gov/category/ csmac, for the most up-to-date meeting agenda and access information. Place: The meeting will be held at the U.S. Department of Commerce, 1401 Constitution Avenue NW., Room 4830, Washington, DC 20230. Public comments may be mailed to Commerce Spectrum Management Advisory Committee, National Telecommunications and Information Administration, 1401 Constitution Avenue NW., Room 4099, Washington, DC 20230. The meeting will be open to the public and press on a first-come, first-served basis. Space is limited. The public meeting is physically accessible to people with disabilities. Individuals requiring accommodations, such as sign language interpretation or other ancillary aids, are asked to notify Mr. Washington at (202) 482–6415 or BWashington@ntia.doc.gov at least ten (10) business days before the meeting. Status: Interested parties are invited to attend and to submit written comments to the Committee at any time before or after the meeting. Parties wishing to submit written comments for consideration by the Committee in advance of a meeting must send them to NTIA’s Washington, DC office at the above-listed address and comments must be received five (5) business days before the scheduled meeting date, to provide sufficient time for review. Comments received after this date will be distributed to the Committee, but may not be reviewed prior to the meeting. It would be helpful if paper submissions also include a compact disc (CD) in Word or PDF format. CDs should be labeled with the name and organizational affiliation of the filer. Alternatively, comments may be submitted electronically to BWashington@ntia.doc.gov. Comments provided via electronic mail also may be E:\FR\FM\26AUN1.SGM 26AUN1

Agencies

[Federal Register Volume 79, Number 165 (Tuesday, August 26, 2014)]
[Notices]
[Pages 50891-50894]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-20315]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket Number: 140721609-4609-01]


Experience With the Framework for Improving Critical 
Infrastructure Cybersecurity

AGENCY: National Institute of Standards and Technology, U.S. Department 
of Commerce.

ACTION: Notice; Request for Information (RFI).

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST) 
requests information about the level of awareness throughout critical 
infrastructure organizations, and initial experiences with the 
Framework for Improving Critical Infrastructure Cybersecurity (the 
``Framework''). As directed by Executive Order 13636, ``Improving 
Critical Infrastructure Cybersecurity'' (the ``Executive Order''), the 
Framework consists of standards, methodologies, procedures, and 
processes that align policy, business, and technological approaches to 
address cyber risks. The Framework was released on February 12, 2014, 
after a year-long, open process involving private and public sector 
organizations, including extensive input and public comments.
    Responses to this RFI--which will be posted at http://www.nist.gov/cyberframework/cybersecurity-framework-rfi.cfm--will inform NIST's 
planning and decision-making about possible tools and resources to help 
organizations to use the Framework more effectively and efficiently. 
They will also help inform future versions of the Framework. The 
responses will also inform the Department of Homeland Security's 
Critical Infrastructure Cyber Community C\3\ Voluntary Program. In 
addition, NIST is interested in receiving comments related to the 
Roadmap that accompanied publication of the Framework. All information 
provided will also assist in developing the agenda for a workshop on 
the Framework being planned for October 2014.

[[Page 50892]]


DATES: Comments must be received by 5:00 p.m. Eastern time on October 
10, 2014.

ADDRESSES: Written comments may be submitted by mail to Diane 
Honeycutt, National Institute of Standards and Technology, 100 Bureau 
Drive, Stop 8930, Gaithersburg, MD 20899. Online submissions in 
electronic form may be sent to cyberframework@nist.gov in any of the 
following formats: HTML; ASCII; Word; RTF; or PDF. Please submit 
comments only and include your name, organization's name (if any), and 
cite ``Experience with the Framework for Improving Critical 
Infrastructure Cybersecurity'' in all correspondence. Comments 
containing references, studies, research, and other empirical data that 
are not widely published should include copies of the referenced 
materials.
    All comments received in response to this RFI will be posted at 
http://www.nist.gov/cyberframework/cybersecurity-framework-rfi.cfm 
without change or redaction, so commenters should not include 
information they do not wish to be posted (e.g., personal or 
confidential business information).

FOR FURTHER INFORMATION CONTACT: For questions about this RFI contact: 
Adam Sedgewick, U.S. Department of Commerce, 1401 Constitution Avenue 
NW., Washington, DC 20230, telephone (202) 482-0788, email 
Adam.Sedgewick@nist.gov. Please direct media inquiries to NIST's Office 
of Public Affairs at (301) 975-2762.

SUPPLEMENTARY INFORMATION: The national and economic security of the 
United States depends on the reliable functioning of critical 
infrastructure,\1\ which has become increasingly dependent on 
information technology. Recent cyber attacks and publicized weaknesses 
reinforce the need for improved capabilities for defending against 
malicious cyber activity. This will be a long-term challenge. 
Additional steps must be taken to enhance existing efforts to increase 
the protection and resilience of critical infrastructure, while 
maintaining a cyber environment that encourages efficiency, innovation, 
and economic prosperity while also protecting privacy and civil 
liberties.
---------------------------------------------------------------------------

    \1\ For the purposes of this RFI the term ``critical 
infrastructure'' has the meaning given the term in 42 U.S.C. 
5195c(e): ``systems and assets, whether physical or virtual, so 
vital to the United States that the incapacity or destruction of 
such systems and assets would have a debilitating impact on 
security, national economic security, national public health or 
safety, or any combination of those matters.''
---------------------------------------------------------------------------

    By Executive Order,\2\ the Secretary of Commerce was tasked to 
direct the Director of the National Institute of Standards and 
Technology (NIST) to lead the development of a voluntary framework to 
reduce cyber risks to critical infrastructure (the ``Framework'').\3\ 
The Framework consists of standards, methodologies, procedures and 
processes that align policy, business, and technological approaches to 
address cyber risks. The Framework was developed by NIST using 
information collected through the RFI that was published in the Federal 
Register on February 25, 2013, a series of open public workshops, and a 
45-day public comment period announced in the Federal Register on 
October 29, 2013. It was published on February 12, 2014, after a year-
long, open process involving private and public sector organizations, 
including extensive input and public comments, and announced in the 
Federal Register (79 FR 9167) on February 18, 2014.
---------------------------------------------------------------------------

    \2\ Exec. Order No. 13636, Improving Critical Infrastructure 
Cybersecurity, 78 FR 11739 (February 19, 2013).
    \3\ https://www.federalregister.gov/articles/2014/02/18/2014-03495/ cybersecurity-framework.
---------------------------------------------------------------------------

    Given the diversity of sectors in the Nation's critical 
infrastructure, the Framework development process was designed to build 
on cross-sector security standards and guidelines that are immediately 
applicable or likely to be applicable to critical infrastructure, to 
increase visibility and adoption of those standards and guidelines, and 
to find potential areas for improvement (i.e., where standards/
guidelines are nonexistent or where existing standards/guidelines are 
inadequate) that need to be addressed through future collaboration with 
industry and industry-led standards bodies. The Cybersecurity Framework 
incorporates voluntary consensus standards and industry best practices 
to the fullest extent possible and is consistent with voluntary 
international consensus-based standards when such international 
standards advance the objectives of the Executive Order. The Framework 
is designed for compatibility with existing regulatory authorities and 
regulations, although it is intended for voluntary adoption.
    While the focus of the Framework is on the Nation's critical 
infrastructure, it was developed in a manner to promote wide adoption 
of practices to increase risk management-based cybersecurity across all 
industry sectors and by all types of organizations.
    NIST remains committed to helping organizations understand and use 
the Framework. In the five-plus months since the document was 
published, NIST has reached out and responded to a large number of 
organizations to raise awareness, answer questions, and learn about 
their experiences with the Framework.
    NIST has worked closely with industry groups, associations, non-
profits, government agencies, and international standards bodies to 
increase awareness of the Framework. NIST has promoted the use of the 
Framework as a basic, flexible, and adaptable tool for managing and 
reducing cybersecurity risks, most frequently working in partnership 
with leaders at all levels of stakeholder organizations.
    While the initial focus was on cross-sector needs, Section 8(b) of 
the Executive Order called on ``Sector Coordinating Councils to review 
the Cybersecurity Framework and, if necessary, develop implementation 
guidance or supplemental materials to address sector-specific risks and 
operating environments.'' NIST has participated in these and similar 
industry-government collaborative activities, in some cases serving in 
an advisory capacity.
    In the time since the Framework's publication, NIST's primary goal 
has been to raise awareness of the Framework and how it can be used to 
manage cyber risks, in order to assist industry sectors and 
organizations to gain experience with it. While NIST appreciates that 
widespread implementation of the Framework can only occur over time, 
NIST views extensive voluntary use as critical to achieving the goals 
of the Executive Order. For these reasons, NIST is interested in 
learning about individual companies' and other organizations' knowledge 
of and experiences with the Framework. NIST wants to better understand 
how companies and organizations in all critical infrastructure sectors 
are approaching and making specific use of the Framework, in accordance 
with Section 7(f) of the Executive Order. This includes learning about 
which aspects of the Framework have been helpful or challenging, and 
about whether and how the Framework has been used to modify and 
strengthen management of cyber risks. The RFI responses will also 
inform the Department of Homeland Security's Critical Infrastructure 
Cyber Community C\3\ Voluntary Program.\4\
---------------------------------------------------------------------------

    \4\ http://www.us-cert.gov/ccubedvp.
---------------------------------------------------------------------------

    NIST understands that at this early stage the Framework may be used 
in a variety of ways, including: participation

[[Page 50893]]

in a sector group that is reviewing how the Framework can best be 
implemented and coordinated with ongoing or planned initiatives; 
initial high-level review of an organization's current management of 
cyber risk; and more intensive deployment as an organization's guiding 
approach to managing its cyber risk.
    In addition to seeking comments from individual critical 
infrastructure owners and operators of all sizes and their 
representatives from sector and professional associations, NIST invites 
submissions from Federal agencies, state, local, territorial and tribal 
governments, standard-setting organizations,\5\ other members of 
industry, consumers, solution providers, and other stakeholders.
---------------------------------------------------------------------------

    \5\ As used herein, ``standard-setting organizations'' refers to 
the wide cross section of organizations that are involved in the 
development of standards and specifications, both domestically and 
abroad.
---------------------------------------------------------------------------

Request for Information

    The following questions cover the major areas about which NIST 
seeks comment. They are not intended to limit the topics that may be 
addressed. Responses may include any topic believed to have 
implications for the degree of awareness and voluntary use and 
subsequent improvement of the Framework, regardless of whether the 
topic is included in this document.
    While the Framework and associated outreach activities by NIST have 
focused on critical infrastructure, given the broad diversity of 
sectors that may include parts of critical infrastructure and the 
intention to continue to involve a broad set of stakeholders in use and 
evolution of the Framework, the RFI generally uses the broader term 
``organizations'' in seeking information. NIST is especially interested 
in comments that will help to determine the Framework's usefulness and 
potential applicability across all critical infrastructure sectors. In 
addition, considering the interwoven nature of our Internet-based 
economy and society, information from and about organizations not 
included in critical infrastructure sectors also will be valuable.
    Comments containing references, studies, research, and other 
empirical data that are not widely published should include copies of 
the referenced materials. Do not include in comments or otherwise 
submit proprietary or confidential information, as all comments 
received in response to this RFI will be made available publically at 
http://www.nist.gov/cyberframework/cybersecurity-framework-rfi.cfm.

Current Awareness of the Cybersecurity Framework

    Recognizing the critical importance of widespread voluntary usage 
of the Framework in order to achieve the goals of the Executive Order, 
and that usage initially depends upon awareness, NIST solicits 
information about awareness of the Framework and its intended uses 
among organizations.
    1. What is the extent of awareness of the Framework among the 
Nation's critical infrastructure organizations? Six months after the 
Framework was issued, has it gained the traction needed to be a factor 
in how organizations manage cyber risks in the Nation's critical 
infrastructure?
    2. How have organizations learned about the Framework? Outreach 
from NIST or another government agency, an association, participation 
in a NIST workshop, news media? Other source?
    3. Are critical infrastructure owners and operators working with 
sector-specific groups, non-profits, and other organizations that 
support critical infrastructure to receive information and share 
lessons learned about the Framework?
    4. Is there general awareness that the Framework:
    a. Is intended for voluntary use?
    b. Is intended as a cyber risk management tool for all levels of an 
organization in assessing risk and how cybersecurity factors into risk 
assessments?
    c. Builds on existing cybersecurity frameworks, standards, and 
guidelines, and other management practices related to cybersecurity?
    5. What are the greatest challenges and opportunities--for NIST, 
the Federal government more broadly, and the private sector--to improve 
awareness of the Framework?
    6. Given that many organizations and most sectors operate globally 
or rely on the interconnectedness of the global digital infrastructure, 
what is the level of awareness internationally of the Framework?
    7. If your sector is regulated, do you think your regulator is 
aware of the Framework, and do you think it has taken any visible 
actions reflecting such awareness?
    8. Is your organization doing any form of outreach or education on 
cybersecurity risk management (including the Framework)? If so, what 
kind of outreach and how many entities are you reaching? If not, does 
your organization plan to do any form of outreach or awareness on the 
Framework?
    9. What more can and should be done to raise awareness?

Experiences With the Cybersecurity Framework

    NIST is seeking information on the experiences with, including but 
not limited to early implementation and usage of, the Framework 
throughout the Nation's critical infrastructure. NIST seeks information 
from and about organizations that have had direct experience with the 
Framework. Please provide information related to the following:
    1. Has the Framework helped organizations understand the importance 
of managing cyber risk?
    2. Which sectors and organizations are actively planning to, or 
already are, using the Framework, and how?
    3. What benefits have been realized by early experiences with the 
Framework?
    4. What expectations have not been met by the Framework and why? 
Specifically, what about the Framework is most helpful and why? What is 
least helpful and why?
    5. Do organizations in some sectors require some type of sector 
specific guidance prior to use?
    6. Have organizations that are using the Framework integrated it 
with their broader enterprise risk management program?
    7. Is the Framework's approach of major components--Core, Profile, 
and Implementation Tiers--reasonable and helpful?
    8. Section 3.0 of the Framework (``How to Use the Framework'') 
presents a variety of ways in which organizations can use the 
Framework.
    a. Of these recommended practices, how are organizations initially 
using the Framework?
    b. Are organizations using the Framework in other ways that should 
be highlighted in supporting material or in future versions of the 
Framework?
    c. Are organizations leveraging Section 3.5 of the Framework 
(``Methodology to Protect Privacy and Civil Liberties'') and, if so, 
what are their initial experiences? If organizations are not leveraging 
this methodology, why not?
    d. Are organizations changing their cybersecurity governance as a 
result of the Framework?
    e. Are organizations using the Framework to communicate information 
about their cybersecurity risk management programs--including the 
effectiveness of those programs--to stakeholders, including boards, 
investors, auditors, and insurers?
    f. Are organizations using the Framework to specifically express 
cybersecurity requirements to their partners, suppliers, and other 
third parties?

[[Page 50894]]

    9. Which activities by NIST, the Department of Commerce overall 
(including the Patent and Trademark Office (PTO); National 
Telecommunications and Information Administration (NTIA); and the 
Internet Policy Taskforce (IPTF)) or other departments and agencies 
could be expanded or initiated to promote implementation of the 
Framework?
    10. Have organizations developed practices to assist in use of the 
Framework?

Roadmap for the Future of the Cybersecurity Framework

    NIST published a Roadmap \6\ in February 2014 detailing some issues 
and challenges that should be addressed in order to improve future 
versions of the Framework. Information is sought to answer the 
following questions:
---------------------------------------------------------------------------

    \6\ http://www.nist.gov/cyberframework/upload/roadmap-021214.pdf
---------------------------------------------------------------------------

    1. Does the Roadmap identify the most important cybersecurity areas 
to be addressed in the future?
    2. Are key cybersecurity issues and opportunities missing that 
should be considered as priorities, and if so, what are they and why do 
they merit special attention?
    3. Have there been significant developments--in the United States 
or elsewhere--in any of these areas since the Roadmap was published 
that NIST should be aware of and take into account as it works to 
advance the usefulness of the Framework?

    Dated: August 21, 2014.
Willie E. May,
Associate Director for Laboratory Programs.
[FR Doc. 2014-20315 Filed 8-25-14; 8:45 am]
BILLING CODE 3510-13-P