Experience With the Framework for Improving Critical Infrastructure Cybersecurity, 50891-50894 [2014-20315]
Download as PDF
<![CDATA[
Federal Register / Vol. 79, No. 165 / Tuesday, August 26, 2014 / Notices
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
Manufacturing Extension Partnership
Advisory Board
National Institute of Standards
and Technology, Commerce.
ACTION: Notice of Open Meeting.
AGENCY:
The National Institute of
Standards and Technology (NIST)
announces that the Manufacturing
Extension Partnership (MEP) Advisory
Board will hold an open meeting on
Thursday, September 18, 2014 from 8:30
a.m. to 5:00 p.m. Eastern Time.
DATES: The meeting will be held
Thursday, September 18, 2014, from
8:30 a.m. to 5:00 p.m. Eastern Time.
ADDRESSES: The meeting will be held at
NIST, 100 Bureau Drive, Gaithersburg,
MD 20899. Please note admittance
instructions in the SUPPLEMENTARY
INFORMATION section below.
FOR FURTHER INFORMATION CONTACT: Kari
Reidy, Manufacturing Extension
Partnership, National Institute of
Standards and Technology, 100 Bureau
Drive, Mail Stop 4800, Gaithersburg,
Maryland 20899–4800, telephone
number (301) 975–4919, email:
Kari.reidy@nist.gov.
SUMMARY:
The MEP
Advisory Board (Board) is authorized
under Section 3003(d) of the America
COMPETES Act (Pub. L. 110–69);
codified at 15 U.S.C. 278k(e), as
amended, in accordance with the
provisions of the Federal Advisory
Committee Act, as amended, 5 U.S.C.
App. The Board is composed of 10
members, appointed by the Director of
NIST. Hollings MEP is a unique
program, consisting of centers across the
United States and Puerto Rico with
partnerships at the state, federal, and
local levels. The Board provides a forum
for input and guidance from Hollings
MEP program stakeholders in the
formulation and implementation of
tools and services focused on
supporting and growing the U.S.
manufacturing industry, provides
advice on MEP programs, plans, and
policies, assesses the soundness of MEP
plans and strategies, and assesses
current performance against MEP
program plans.
Background information on the Board
is available at https://www.nist.gov/mep/
advisory-board.cfm.
Pursuant to the Federal Advisory
Committee Act, as amended, 5 U.S.C.
App., notice is hereby given that the
MEP Advisory Board will hold an open
tkelley on DSK3SPTVN1PROD with NOTICES
SUPPLEMENTARY INFORMATION:
VerDate Mar<15>2010
21:48 Aug 25, 2014
Jkt 232001
meeting on Thursday, September 18,
2014 from 8:30 a.m. to 5:00 p.m. Eastern
Time. This meeting will focus on (1) the
MEP Advisory Board’s review of the
plans for implementing the recently
adopted NIST MEP Strategic plan, (2)
overview of Hollings MEP export
initiatives and partnerships, and (3) an
update on NIST Hollings MEP system
competitions. The final agenda will be
posted on the MEP Advisory Board Web
site at https://www.nist.gov/mep/
advisory-board.cfm.
Admittance Instructions: Anyone
wishing to attend this meeting should
submit their name, email address and
phone number to Kari Reidy
(Kari.reidy@nist.gov or 301–975–4919)
no later than Thursday, September 11,
2014, 5:00 p.m. Eastern Time. Non-U.S.
citizens must submit additional
information; please contact Ms. Reidy.
All attendees must pre-register in order
to be admitted to the NIST campus.
Also, please note that under the REAL
ID Act of 2005 (Pub. L. 109–13), federal
agencies, including NIST, can only
accept a state-issued driver’s license or
identification card for access to federal
facilities if issued by states that are
REAL ID compliant or have an
extension. NIST also currently accepts
other forms of federal-issued
identification in lieu of a state-issued
driver’s license. For detailed
information please contact Ms. Reidy or
visit: https://www.nist.gov/
public_affairs/visitor/.
Individuals and representatives of
organizations who would like to offer
comments and suggestions related to the
MEP Advisory Board’s business are
invited to request a place on the agenda.
Approximately 15 minutes will be
reserved for public comments at the
beginning of the meeting. Speaking
times will be assigned on a first-come,
first-served basis. The amount of time
per speaker will be determined by the
number of requests received but is likely
to be no more than three to five minutes
each. The exact time for public
comments will be included in the final
agenda that will be posted on the MEP
Advisory Board Web site as https://
www.nist.gov/mep/advisory-board.cfm.
Questions from the public will not be
considered during this period. Speakers
who wish to expand upon their oral
statements, those who had wished to
speak but could not be accommodated
on the agenda, and those who were
unable to attend in person are invited to
submit written statements to the MEP
Advisory Board, National Institute of
Standards and Technology, National
Institute of Standards and Technology,
100 Bureau Drive, Mail Stop 4800,
Gaithersburg, Maryland 20899–4800, or
PO 00000
Frm 00008
Fmt 4703
Sfmt 4703
50891
via fax at (301) 963–6556, or
electronically by email to
kari.reidy@nist.gov
Dated: August 11, 2014.
Phillip Singerman,
Associate Director for Innovation & Industry
Services.
[FR Doc. 2014–20304 Filed 8–25–14; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
[Docket Number: 140721609–4609–01]
Experience With the Framework for
Improving Critical Infrastructure
Cybersecurity
National Institute of Standards
and Technology, U.S. Department of
Commerce.
ACTION: Notice; Request for Information
(RFI).
AGENCY:
The National Institute of
Standards and Technology (NIST)
requests information about the level of
awareness throughout critical
infrastructure organizations, and initial
experiences with the Framework for
Improving Critical Infrastructure
Cybersecurity (the ‘‘Framework’’). As
directed by Executive Order 13636,
‘‘Improving Critical Infrastructure
Cybersecurity’’ (the ‘‘Executive Order’’),
the Framework consists of standards,
methodologies, procedures, and
processes that align policy, business,
and technological approaches to address
cyber risks. The Framework was
released on February 12, 2014, after a
year-long, open process involving
private and public sector organizations,
including extensive input and public
comments.
Responses to this RFI—which will be
posted at https://www.nist.gov/
cyberframework/cybersecurityframework-rfi.cfm—will inform NIST’s
planning and decision-making about
possible tools and resources to help
organizations to use the Framework
more effectively and efficiently. They
will also help inform future versions of
the Framework. The responses will also
inform the Department of Homeland
Security’s Critical Infrastructure Cyber
Community C3 Voluntary Program. In
addition, NIST is interested in receiving
comments related to the Roadmap that
accompanied publication of the
Framework. All information provided
will also assist in developing the agenda
for a workshop on the Framework being
planned for October 2014.
SUMMARY:
E:\FR\FM\26AUN1.SGM
26AUN1
50892
Federal Register / Vol. 79, No. 165 / Tuesday, August 26, 2014 / Notices
Comments must be received by
5:00 p.m. Eastern time on October 10,
2014.
DATES:
Written comments may be
submitted by mail to Diane Honeycutt,
National Institute of Standards and
Technology, 100 Bureau Drive, Stop
8930, Gaithersburg, MD 20899. Online
submissions in electronic form may be
sent to cyberframework@nist.gov in any
of the following formats: HTML; ASCII;
Word; RTF; or PDF. Please submit
comments only and include your name,
organization’s name (if any), and cite
‘‘Experience with the Framework for
Improving Critical Infrastructure
Cybersecurity’’ in all correspondence.
Comments containing references,
studies, research, and other empirical
data that are not widely published
should include copies of the referenced
materials.
All comments received in response to
this RFI will be posted at https://
www.nist.gov/cyberframework/
cybersecurity-framework-rfi.cfm without
change or redaction, so commenters
should not include information they do
not wish to be posted (e.g., personal or
confidential business information).
ADDRESSES:
For
questions about this RFI contact: Adam
Sedgewick, U.S. Department of
Commerce, 1401 Constitution Avenue
NW., Washington, DC 20230, telephone
(202) 482–0788, email
Adam.Sedgewick@nist.gov. Please direct
media inquiries to NIST’s Office of
Public Affairs at (301) 975–2762.
FOR FURTHER INFORMATION CONTACT:
The
national and economic security of the
United States depends on the reliable
functioning of critical infrastructure,1
which has become increasingly
dependent on information technology.
Recent cyber attacks and publicized
weaknesses reinforce the need for
improved capabilities for defending
against malicious cyber activity. This
will be a long-term challenge.
Additional steps must be taken to
enhance existing efforts to increase the
protection and resilience of critical
infrastructure, while maintaining a
cyber environment that encourages
efficiency, innovation, and economic
prosperity while also protecting privacy
and civil liberties.
tkelley on DSK3SPTVN1PROD with NOTICES
SUPPLEMENTARY INFORMATION:
1 For the purposes of this RFI the term ‘‘critical
infrastructure’’ has the meaning given the term in
42 U.S.C. 5195c(e): ‘‘systems and assets, whether
physical or virtual, so vital to the United States that
the incapacity or destruction of such systems and
assets would have a debilitating impact on security,
national economic security, national public health
or safety, or any combination of those matters.’’
VerDate Mar<15>2010
21:48 Aug 25, 2014
Jkt 232001
By Executive Order,2 the Secretary of
Commerce was tasked to direct the
Director of the National Institute of
Standards and Technology (NIST) to
lead the development of a voluntary
framework to reduce cyber risks to
critical infrastructure (the
‘‘Framework’’).3 The Framework
consists of standards, methodologies,
procedures and processes that align
policy, business, and technological
approaches to address cyber risks. The
Framework was developed by NIST
using information collected through the
RFI that was published in the Federal
Register on February 25, 2013, a series
of open public workshops, and a 45-day
public comment period announced in
the Federal Register on October 29,
2013. It was published on February 12,
2014, after a year-long, open process
involving private and public sector
organizations, including extensive input
and public comments, and announced
in the Federal Register (79 FR 9167) on
February 18, 2014.
Given the diversity of sectors in the
Nation’s critical infrastructure, the
Framework development process was
designed to build on cross-sector
security standards and guidelines that
are immediately applicable or likely to
be applicable to critical infrastructure,
to increase visibility and adoption of
those standards and guidelines, and to
find potential areas for improvement
(i.e., where standards/guidelines are
nonexistent or where existing
standards/guidelines are inadequate)
that need to be addressed through future
collaboration with industry and
industry-led standards bodies. The
Cybersecurity Framework incorporates
voluntary consensus standards and
industry best practices to the fullest
extent possible and is consistent with
voluntary international consensus-based
standards when such international
standards advance the objectives of the
Executive Order. The Framework is
designed for compatibility with existing
regulatory authorities and regulations,
although it is intended for voluntary
adoption.
While the focus of the Framework is
on the Nation’s critical infrastructure, it
was developed in a manner to promote
wide adoption of practices to increase
risk management-based cybersecurity
across all industry sectors and by all
types of organizations.
NIST remains committed to helping
organizations understand and use the
2 Exec. Order No. 13636, Improving Critical
Infrastructure Cybersecurity, 78 FR 11739 (February
19, 2013).
3 https://www.federalregister.gov/articles/2014/
02/18/2014-03495/ cybersecurity-framework.
PO 00000
Frm 00009
Fmt 4703
Sfmt 4703
Framework. In the five-plus months
since the document was published,
NIST has reached out and responded to
a large number of organizations to raise
awareness, answer questions, and learn
about their experiences with the
Framework.
NIST has worked closely with
industry groups, associations, nonprofits, government agencies, and
international standards bodies to
increase awareness of the Framework.
NIST has promoted the use of the
Framework as a basic, flexible, and
adaptable tool for managing and
reducing cybersecurity risks, most
frequently working in partnership with
leaders at all levels of stakeholder
organizations.
While the initial focus was on crosssector needs, Section 8(b) of the
Executive Order called on ‘‘Sector
Coordinating Councils to review the
Cybersecurity Framework and, if
necessary, develop implementation
guidance or supplemental materials to
address sector-specific risks and
operating environments.’’ NIST has
participated in these and similar
industry-government collaborative
activities, in some cases serving in an
advisory capacity.
In the time since the Framework’s
publication, NIST’s primary goal has
been to raise awareness of the
Framework and how it can be used to
manage cyber risks, in order to assist
industry sectors and organizations to
gain experience with it. While NIST
appreciates that widespread
implementation of the Framework can
only occur over time, NIST views
extensive voluntary use as critical to
achieving the goals of the Executive
Order. For these reasons, NIST is
interested in learning about individual
companies’ and other organizations’
knowledge of and experiences with the
Framework. NIST wants to better
understand how companies and
organizations in all critical
infrastructure sectors are approaching
and making specific use of the
Framework, in accordance with Section
7(f) of the Executive Order. This
includes learning about which aspects
of the Framework have been helpful or
challenging, and about whether and
how the Framework has been used to
modify and strengthen management of
cyber risks. The RFI responses will also
inform the Department of Homeland
Security’s Critical Infrastructure Cyber
Community C3 Voluntary Program.4
NIST understands that at this early
stage the Framework may be used in a
variety of ways, including: participation
4 https://www.us-cert.gov/ccubedvp.
E:\FR\FM\26AUN1.SGM
26AUN1
Federal Register / Vol. 79, No. 165 / Tuesday, August 26, 2014 / Notices
in a sector group that is reviewing how
the Framework can best be implemented
and coordinated with ongoing or
planned initiatives; initial high-level
review of an organization’s current
management of cyber risk; and more
intensive deployment as an
organization’s guiding approach to
managing its cyber risk.
In addition to seeking comments from
individual critical infrastructure owners
and operators of all sizes and their
representatives from sector and
professional associations, NIST invites
submissions from Federal agencies,
state, local, territorial and tribal
governments, standard-setting
organizations,5 other members of
industry, consumers, solution providers,
and other stakeholders.
tkelley on DSK3SPTVN1PROD with NOTICES
Request for Information
The following questions cover the
major areas about which NIST seeks
comment. They are not intended to limit
the topics that may be addressed.
Responses may include any topic
believed to have implications for the
degree of awareness and voluntary use
and subsequent improvement of the
Framework, regardless of whether the
topic is included in this document.
While the Framework and associated
outreach activities by NIST have
focused on critical infrastructure, given
the broad diversity of sectors that may
include parts of critical infrastructure
and the intention to continue to involve
a broad set of stakeholders in use and
evolution of the Framework, the RFI
generally uses the broader term
‘‘organizations’’ in seeking information.
NIST is especially interested in
comments that will help to determine
the Framework’s usefulness and
potential applicability across all critical
infrastructure sectors. In addition,
considering the interwoven nature of
our Internet-based economy and society,
information from and about
organizations not included in critical
infrastructure sectors also will be
valuable.
Comments containing references,
studies, research, and other empirical
data that are not widely published
should include copies of the referenced
materials. Do not include in comments
or otherwise submit proprietary or
confidential information, as all
comments received in response to this
RFI will be made available publically at
https://www.nist.gov/cyberframework/
cybersecurity-framework-rfi.cfm.
5 As used herein, ‘‘standard-setting organizations’’
refers to the wide cross section of organizations that
are involved in the development of standards and
specifications, both domestically and abroad.
VerDate Mar<15>2010
21:48 Aug 25, 2014
Jkt 232001
Current Awareness of the Cybersecurity
Framework
Recognizing the critical importance of
widespread voluntary usage of the
Framework in order to achieve the goals
of the Executive Order, and that usage
initially depends upon awareness, NIST
solicits information about awareness of
the Framework and its intended uses
among organizations.
1. What is the extent of awareness of
the Framework among the Nation’s
critical infrastructure organizations? Six
months after the Framework was issued,
has it gained the traction needed to be
a factor in how organizations manage
cyber risks in the Nation’s critical
infrastructure?
2. How have organizations learned
about the Framework? Outreach from
NIST or another government agency, an
association, participation in a NIST
workshop, news media? Other source?
3. Are critical infrastructure owners
and operators working with sectorspecific groups, non-profits, and other
organizations that support critical
infrastructure to receive information
and share lessons learned about the
Framework?
4. Is there general awareness that the
Framework:
a. Is intended for voluntary use?
b. Is intended as a cyber risk
management tool for all levels of an
organization in assessing risk and how
cybersecurity factors into risk
assessments?
c. Builds on existing cybersecurity
frameworks, standards, and guidelines,
and other management practices related
to cybersecurity?
5. What are the greatest challenges
and opportunities—for NIST, the
Federal government more broadly, and
the private sector—to improve
awareness of the Framework?
6. Given that many organizations and
most sectors operate globally or rely on
the interconnectedness of the global
digital infrastructure, what is the level
of awareness internationally of the
Framework?
7. If your sector is regulated, do you
think your regulator is aware of the
Framework, and do you think it has
taken any visible actions reflecting such
awareness?
8. Is your organization doing any form
of outreach or education on
cybersecurity risk management
(including the Framework)? If so, what
kind of outreach and how many entities
are you reaching? If not, does your
organization plan to do any form of
outreach or awareness on the
Framework?
9. What more can and should be done
to raise awareness?
PO 00000
Frm 00010
Fmt 4703
Sfmt 4703
50893
Experiences With the Cybersecurity
Framework
NIST is seeking information on the
experiences with, including but not
limited to early implementation and
usage of, the Framework throughout the
Nation’s critical infrastructure. NIST
seeks information from and about
organizations that have had direct
experience with the Framework. Please
provide information related to the
following:
1. Has the Framework helped
organizations understand the
importance of managing cyber risk?
2. Which sectors and organizations
are actively planning to, or already are,
using the Framework, and how?
3. What benefits have been realized by
early experiences with the Framework?
4. What expectations have not been
met by the Framework and why?
Specifically, what about the Framework
is most helpful and why? What is least
helpful and why?
5. Do organizations in some sectors
require some type of sector specific
guidance prior to use?
6. Have organizations that are using
the Framework integrated it with their
broader enterprise risk management
program?
7. Is the Framework’s approach of
major components—Core, Profile, and
Implementation Tiers—reasonable and
helpful?
8. Section 3.0 of the Framework
(‘‘How to Use the Framework’’) presents
a variety of ways in which organizations
can use the Framework.
a. Of these recommended practices,
how are organizations initially using the
Framework?
b. Are organizations using the
Framework in other ways that should be
highlighted in supporting material or in
future versions of the Framework?
c. Are organizations leveraging
Section 3.5 of the Framework
(‘‘Methodology to Protect Privacy and
Civil Liberties’’) and, if so, what are
their initial experiences? If
organizations are not leveraging this
methodology, why not?
d. Are organizations changing their
cybersecurity governance as a result of
the Framework?
e. Are organizations using the
Framework to communicate information
about their cybersecurity risk
management programs—including the
effectiveness of those programs—to
stakeholders, including boards,
investors, auditors, and insurers?
f. Are organizations using the
Framework to specifically express
cybersecurity requirements to their
partners, suppliers, and other third
parties?
E:\FR\FM\26AUN1.SGM
26AUN1
50894
Federal Register / Vol. 79, No. 165 / Tuesday, August 26, 2014 / Notices
9. Which activities by NIST, the
Department of Commerce overall
(including the Patent and Trademark
Office (PTO); National
Telecommunications and Information
Administration (NTIA); and the Internet
Policy Taskforce (IPTF)) or other
departments and agencies could be
expanded or initiated to promote
implementation of the Framework?
10. Have organizations developed
practices to assist in use of the
Framework?
Roadmap for the Future of the
Cybersecurity Framework
NIST published a Roadmap 6 in
February 2014 detailing some issues and
challenges that should be addressed in
order to improve future versions of the
Framework. Information is sought to
answer the following questions:
1. Does the Roadmap identify the
most important cybersecurity areas to be
addressed in the future?
2. Are key cybersecurity issues and
opportunities missing that should be
considered as priorities, and if so, what
are they and why do they merit special
attention?
3. Have there been significant
developments—in the United States or
elsewhere—in any of these areas since
the Roadmap was published that NIST
should be aware of and take into
account as it works to advance the
usefulness of the Framework?
Dated: August 21, 2014.
Willie E. May,
Associate Director for Laboratory Programs.
[FR Doc. 2014–20315 Filed 8–25–14; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Telecommunications and
Information Administration
Commerce Spectrum Management
Advisory Committee Meeting
National Telecommunications
and Information Administration, U.S.
Department of Commerce.
ACTION: Notice of Open Meeting.
AGENCY:
This notice announces a
public meeting of the Commerce
Spectrum Management Advisory
Committee (Committee). The Committee
provides advice to the Assistant
Secretary of Commerce for
Communications and Information and
the National Telecommunications and
Information Administration (NTIA) on
spectrum management policy matters.
tkelley on DSK3SPTVN1PROD with NOTICES
SUMMARY:
6 https://www.nist.gov/cyberframework/upload/
roadmap-021214.pdf
VerDate Mar<15>2010
21:48 Aug 25, 2014
Jkt 232001
The meeting will be held on
October 9, 2014, from 1:00 p.m. to 4:00
p.m., Eastern Daylight Time.
ADDRESSES: The meeting will be held at
the U.S. Department of Commerce, 1401
Constitution Avenue NW., Room 4830,
Washington, DC 20230. Public
comments may be mailed to Commerce
Spectrum Management Advisory
Committee, National
Telecommunications and Information
Administration, 1401 Constitution
Avenue NW., Room 4099, Washington,
DC 20230 or emailed to
BWashington@ntia.doc.gov.
DATES:
FOR FURTHER INFORMATION CONTACT:
Bruce M. Washington, Designated
Federal Officer, at (202) 482–6415 or
BWashington@ntia.doc.gov; and/or visit
NTIA’s Web site at https://
www.ntia.doc.gov/category/csmac.
SUPPLEMENTARY INFORMATION:
Background: The Committee provides
advice to the Assistant Secretary of
Commerce for Communications and
Information on needed reforms to
domestic spectrum policies and
management in order to: License radio
frequencies in a way that maximizes
their public benefits; keep wireless
networks as open to innovation as
possible; and make wireless services
available to all Americans. See Charter
at https://www.ntia.doc.gov/otherpublication/2013/csmac-2013-charter.
This Committee is subject to the Federal
Advisory Committee Act (FACA), 5
U.S.C. App. 2, and is consistent with the
National Telecommunications and
Information Administration Act, 47
U.S.C. 904(b). The Committee functions
solely as an advisory body in
compliance with the FACA. For more
information about the Committee visit:
https://www.ntia.doc.gov/category/
csmac.
Matters To Be Considered: The
Committee will receive reports on the
progress of the following subcommittees
established to help NTIA develop new
or revised strategies for responding
more efficiently and effectively to
fundamental technological, operational,
and other trends to continue
advancement of delivering spectrum
products, services, and solutions that
will support the ever-increasing demand
for spectrum:
1. Enforcement
2. Transitional Sharing
3. General Occupancy Measurements
and Quantification of Federal
Spectrum Use
4. Spectrum Management via Databases
5. Federal Access to Non-federal Bands
6. Spectrum Sharing Cost Recovery
Alternatives
PO 00000
Frm 00011
Fmt 4703
Sfmt 4703
7. Industry and Government
Collaboration
NTIA will post a detailed agenda on
its Web site, https://www.ntia.doc.gov/
category/csmac, prior to the meeting. To
the extent that the meeting time and
agenda permit, any member of the
public may speak to or otherwise
address the Committee regarding the
agenda items. See Open Meeting and
Public Participation Policy, available at
https://www.ntia.doc.gov/category/
csmac.
Time and Date: The meeting will be
held on October 9, 2014, from 1:00 p.m.
to 4:00 p.m., Eastern Daylight Time. The
times and the agenda topics are subject
to change. The meeting will be available
via two-way audio link and may be
webcast. Please refer to NTIA’s Web
site, https://www.ntia.doc.gov/category/
csmac, for the most up-to-date meeting
agenda and access information.
Place: The meeting will be held at the
U.S. Department of Commerce, 1401
Constitution Avenue NW., Room 4830,
Washington, DC 20230. Public
comments may be mailed to Commerce
Spectrum Management Advisory
Committee, National
Telecommunications and Information
Administration, 1401 Constitution
Avenue NW., Room 4099, Washington,
DC 20230. The meeting will be open to
the public and press on a first-come,
first-served basis. Space is limited. The
public meeting is physically accessible
to people with disabilities. Individuals
requiring accommodations, such as sign
language interpretation or other
ancillary aids, are asked to notify Mr.
Washington at (202) 482–6415 or
BWashington@ntia.doc.gov at least ten
(10) business days before the meeting.
Status: Interested parties are invited
to attend and to submit written
comments to the Committee at any time
before or after the meeting. Parties
wishing to submit written comments for
consideration by the Committee in
advance of a meeting must send them to
NTIA’s Washington, DC office at the
above-listed address and comments
must be received five (5) business days
before the scheduled meeting date, to
provide sufficient time for review.
Comments received after this date will
be distributed to the Committee, but
may not be reviewed prior to the
meeting. It would be helpful if paper
submissions also include a compact disc
(CD) in Word or PDF format. CDs should
be labeled with the name and
organizational affiliation of the filer.
Alternatively, comments may be
submitted electronically to
BWashington@ntia.doc.gov. Comments
provided via electronic mail also may be
E:\FR\FM\26AUN1.SGM
26AUN1
]]>Agencies
[Federal Register Volume 79, Number 165 (Tuesday, August 26, 2014)]
[Notices]
[Pages 50891-50894]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-20315]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket Number: 140721609-4609-01]
Experience With the Framework for Improving Critical
Infrastructure Cybersecurity
AGENCY: National Institute of Standards and Technology, U.S. Department
of Commerce.
ACTION: Notice; Request for Information (RFI).
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST)
requests information about the level of awareness throughout critical
infrastructure organizations, and initial experiences with the
Framework for Improving Critical Infrastructure Cybersecurity (the
``Framework''). As directed by Executive Order 13636, ``Improving
Critical Infrastructure Cybersecurity'' (the ``Executive Order''), the
Framework consists of standards, methodologies, procedures, and
processes that align policy, business, and technological approaches to
address cyber risks. The Framework was released on February 12, 2014,
after a year-long, open process involving private and public sector
organizations, including extensive input and public comments.
Responses to this RFI--which will be posted at https://www.nist.gov/cyberframework/cybersecurity-framework-rfi.cfm--will inform NIST's
planning and decision-making about possible tools and resources to help
organizations to use the Framework more effectively and efficiently.
They will also help inform future versions of the Framework. The
responses will also inform the Department of Homeland Security's
Critical Infrastructure Cyber Community C\3\ Voluntary Program. In
addition, NIST is interested in receiving comments related to the
Roadmap that accompanied publication of the Framework. All information
provided will also assist in developing the agenda for a workshop on
the Framework being planned for October 2014.
[[Page 50892]]
DATES: Comments must be received by 5:00 p.m. Eastern time on October
10, 2014.
ADDRESSES: Written comments may be submitted by mail to Diane
Honeycutt, National Institute of Standards and Technology, 100 Bureau
Drive, Stop 8930, Gaithersburg, MD 20899. Online submissions in
electronic form may be sent to cyberframework@nist.gov in any of the
following formats: HTML; ASCII; Word; RTF; or PDF. Please submit
comments only and include your name, organization's name (if any), and
cite ``Experience with the Framework for Improving Critical
Infrastructure Cybersecurity'' in all correspondence. Comments
containing references, studies, research, and other empirical data that
are not widely published should include copies of the referenced
materials.
All comments received in response to this RFI will be posted at
https://www.nist.gov/cyberframework/cybersecurity-framework-rfi.cfm
without change or redaction, so commenters should not include
information they do not wish to be posted (e.g., personal or
confidential business information).
FOR FURTHER INFORMATION CONTACT: For questions about this RFI contact:
Adam Sedgewick, U.S. Department of Commerce, 1401 Constitution Avenue
NW., Washington, DC 20230, telephone (202) 482-0788, email
Adam.Sedgewick@nist.gov. Please direct media inquiries to NIST's Office
of Public Affairs at (301) 975-2762.
SUPPLEMENTARY INFORMATION: The national and economic security of the
United States depends on the reliable functioning of critical
infrastructure,\1\ which has become increasingly dependent on
information technology. Recent cyber attacks and publicized weaknesses
reinforce the need for improved capabilities for defending against
malicious cyber activity. This will be a long-term challenge.
Additional steps must be taken to enhance existing efforts to increase
the protection and resilience of critical infrastructure, while
maintaining a cyber environment that encourages efficiency, innovation,
and economic prosperity while also protecting privacy and civil
liberties.
---------------------------------------------------------------------------
\1\ For the purposes of this RFI the term ``critical
infrastructure'' has the meaning given the term in 42 U.S.C.
5195c(e): ``systems and assets, whether physical or virtual, so
vital to the United States that the incapacity or destruction of
such systems and assets would have a debilitating impact on
security, national economic security, national public health or
safety, or any combination of those matters.''
---------------------------------------------------------------------------
By Executive Order,\2\ the Secretary of Commerce was tasked to
direct the Director of the National Institute of Standards and
Technology (NIST) to lead the development of a voluntary framework to
reduce cyber risks to critical infrastructure (the ``Framework'').\3\
The Framework consists of standards, methodologies, procedures and
processes that align policy, business, and technological approaches to
address cyber risks. The Framework was developed by NIST using
information collected through the RFI that was published in the Federal
Register on February 25, 2013, a series of open public workshops, and a
45-day public comment period announced in the Federal Register on
October 29, 2013. It was published on February 12, 2014, after a year-
long, open process involving private and public sector organizations,
including extensive input and public comments, and announced in the
Federal Register (79 FR 9167) on February 18, 2014.
---------------------------------------------------------------------------
\2\ Exec. Order No. 13636, Improving Critical Infrastructure
Cybersecurity, 78 FR 11739 (February 19, 2013).
\3\ https://www.federalregister.gov/articles/2014/02/18/2014-03495/ cybersecurity-framework.
---------------------------------------------------------------------------
Given the diversity of sectors in the Nation's critical
infrastructure, the Framework development process was designed to build
on cross-sector security standards and guidelines that are immediately
applicable or likely to be applicable to critical infrastructure, to
increase visibility and adoption of those standards and guidelines, and
to find potential areas for improvement (i.e., where standards/
guidelines are nonexistent or where existing standards/guidelines are
inadequate) that need to be addressed through future collaboration with
industry and industry-led standards bodies. The Cybersecurity Framework
incorporates voluntary consensus standards and industry best practices
to the fullest extent possible and is consistent with voluntary
international consensus-based standards when such international
standards advance the objectives of the Executive Order. The Framework
is designed for compatibility with existing regulatory authorities and
regulations, although it is intended for voluntary adoption.
While the focus of the Framework is on the Nation's critical
infrastructure, it was developed in a manner to promote wide adoption
of practices to increase risk management-based cybersecurity across all
industry sectors and by all types of organizations.
NIST remains committed to helping organizations understand and use
the Framework. In the five-plus months since the document was
published, NIST has reached out and responded to a large number of
organizations to raise awareness, answer questions, and learn about
their experiences with the Framework.
NIST has worked closely with industry groups, associations, non-
profits, government agencies, and international standards bodies to
increase awareness of the Framework. NIST has promoted the use of the
Framework as a basic, flexible, and adaptable tool for managing and
reducing cybersecurity risks, most frequently working in partnership
with leaders at all levels of stakeholder organizations.
While the initial focus was on cross-sector needs, Section 8(b) of
the Executive Order called on ``Sector Coordinating Councils to review
the Cybersecurity Framework and, if necessary, develop implementation
guidance or supplemental materials to address sector-specific risks and
operating environments.'' NIST has participated in these and similar
industry-government collaborative activities, in some cases serving in
an advisory capacity.
In the time since the Framework's publication, NIST's primary goal
has been to raise awareness of the Framework and how it can be used to
manage cyber risks, in order to assist industry sectors and
organizations to gain experience with it. While NIST appreciates that
widespread implementation of the Framework can only occur over time,
NIST views extensive voluntary use as critical to achieving the goals
of the Executive Order. For these reasons, NIST is interested in
learning about individual companies' and other organizations' knowledge
of and experiences with the Framework. NIST wants to better understand
how companies and organizations in all critical infrastructure sectors
are approaching and making specific use of the Framework, in accordance
with Section 7(f) of the Executive Order. This includes learning about
which aspects of the Framework have been helpful or challenging, and
about whether and how the Framework has been used to modify and
strengthen management of cyber risks. The RFI responses will also
inform the Department of Homeland Security's Critical Infrastructure
Cyber Community C\3\ Voluntary Program.\4\
---------------------------------------------------------------------------
\4\ https://www.us-cert.gov/ccubedvp.
---------------------------------------------------------------------------
NIST understands that at this early stage the Framework may be used
in a variety of ways, including: participation
[[Page 50893]]
in a sector group that is reviewing how the Framework can best be
implemented and coordinated with ongoing or planned initiatives;
initial high-level review of an organization's current management of
cyber risk; and more intensive deployment as an organization's guiding
approach to managing its cyber risk.
In addition to seeking comments from individual critical
infrastructure owners and operators of all sizes and their
representatives from sector and professional associations, NIST invites
submissions from Federal agencies, state, local, territorial and tribal
governments, standard-setting organizations,\5\ other members of
industry, consumers, solution providers, and other stakeholders.
---------------------------------------------------------------------------
\5\ As used herein, ``standard-setting organizations'' refers to
the wide cross section of organizations that are involved in the
development of standards and specifications, both domestically and
abroad.
---------------------------------------------------------------------------
Request for Information
The following questions cover the major areas about which NIST
seeks comment. They are not intended to limit the topics that may be
addressed. Responses may include any topic believed to have
implications for the degree of awareness and voluntary use and
subsequent improvement of the Framework, regardless of whether the
topic is included in this document.
While the Framework and associated outreach activities by NIST have
focused on critical infrastructure, given the broad diversity of
sectors that may include parts of critical infrastructure and the
intention to continue to involve a broad set of stakeholders in use and
evolution of the Framework, the RFI generally uses the broader term
``organizations'' in seeking information. NIST is especially interested
in comments that will help to determine the Framework's usefulness and
potential applicability across all critical infrastructure sectors. In
addition, considering the interwoven nature of our Internet-based
economy and society, information from and about organizations not
included in critical infrastructure sectors also will be valuable.
Comments containing references, studies, research, and other
empirical data that are not widely published should include copies of
the referenced materials. Do not include in comments or otherwise
submit proprietary or confidential information, as all comments
received in response to this RFI will be made available publically at
https://www.nist.gov/cyberframework/cybersecurity-framework-rfi.cfm.
Current Awareness of the Cybersecurity Framework
Recognizing the critical importance of widespread voluntary usage
of the Framework in order to achieve the goals of the Executive Order,
and that usage initially depends upon awareness, NIST solicits
information about awareness of the Framework and its intended uses
among organizations.
1. What is the extent of awareness of the Framework among the
Nation's critical infrastructure organizations? Six months after the
Framework was issued, has it gained the traction needed to be a factor
in how organizations manage cyber risks in the Nation's critical
infrastructure?
2. How have organizations learned about the Framework? Outreach
from NIST or another government agency, an association, participation
in a NIST workshop, news media? Other source?
3. Are critical infrastructure owners and operators working with
sector-specific groups, non-profits, and other organizations that
support critical infrastructure to receive information and share
lessons learned about the Framework?
4. Is there general awareness that the Framework:
a. Is intended for voluntary use?
b. Is intended as a cyber risk management tool for all levels of an
organization in assessing risk and how cybersecurity factors into risk
assessments?
c. Builds on existing cybersecurity frameworks, standards, and
guidelines, and other management practices related to cybersecurity?
5. What are the greatest challenges and opportunities--for NIST,
the Federal government more broadly, and the private sector--to improve
awareness of the Framework?
6. Given that many organizations and most sectors operate globally
or rely on the interconnectedness of the global digital infrastructure,
what is the level of awareness internationally of the Framework?
7. If your sector is regulated, do you think your regulator is
aware of the Framework, and do you think it has taken any visible
actions reflecting such awareness?
8. Is your organization doing any form of outreach or education on
cybersecurity risk management (including the Framework)? If so, what
kind of outreach and how many entities are you reaching? If not, does
your organization plan to do any form of outreach or awareness on the
Framework?
9. What more can and should be done to raise awareness?
Experiences With the Cybersecurity Framework
NIST is seeking information on the experiences with, including but
not limited to early implementation and usage of, the Framework
throughout the Nation's critical infrastructure. NIST seeks information
from and about organizations that have had direct experience with the
Framework. Please provide information related to the following:
1. Has the Framework helped organizations understand the importance
of managing cyber risk?
2. Which sectors and organizations are actively planning to, or
already are, using the Framework, and how?
3. What benefits have been realized by early experiences with the
Framework?
4. What expectations have not been met by the Framework and why?
Specifically, what about the Framework is most helpful and why? What is
least helpful and why?
5. Do organizations in some sectors require some type of sector
specific guidance prior to use?
6. Have organizations that are using the Framework integrated it
with their broader enterprise risk management program?
7. Is the Framework's approach of major components--Core, Profile,
and Implementation Tiers--reasonable and helpful?
8. Section 3.0 of the Framework (``How to Use the Framework'')
presents a variety of ways in which organizations can use the
Framework.
a. Of these recommended practices, how are organizations initially
using the Framework?
b. Are organizations using the Framework in other ways that should
be highlighted in supporting material or in future versions of the
Framework?
c. Are organizations leveraging Section 3.5 of the Framework
(``Methodology to Protect Privacy and Civil Liberties'') and, if so,
what are their initial experiences? If organizations are not leveraging
this methodology, why not?
d. Are organizations changing their cybersecurity governance as a
result of the Framework?
e. Are organizations using the Framework to communicate information
about their cybersecurity risk management programs--including the
effectiveness of those programs--to stakeholders, including boards,
investors, auditors, and insurers?
f. Are organizations using the Framework to specifically express
cybersecurity requirements to their partners, suppliers, and other
third parties?
[[Page 50894]]
9. Which activities by NIST, the Department of Commerce overall
(including the Patent and Trademark Office (PTO); National
Telecommunications and Information Administration (NTIA); and the
Internet Policy Taskforce (IPTF)) or other departments and agencies
could be expanded or initiated to promote implementation of the
Framework?
10. Have organizations developed practices to assist in use of the
Framework?
Roadmap for the Future of the Cybersecurity Framework
NIST published a Roadmap \6\ in February 2014 detailing some issues
and challenges that should be addressed in order to improve future
versions of the Framework. Information is sought to answer the
following questions:
---------------------------------------------------------------------------
\6\ https://www.nist.gov/cyberframework/upload/roadmap-021214.pdf
---------------------------------------------------------------------------
1. Does the Roadmap identify the most important cybersecurity areas
to be addressed in the future?
2. Are key cybersecurity issues and opportunities missing that
should be considered as priorities, and if so, what are they and why do
they merit special attention?
3. Have there been significant developments--in the United States
or elsewhere--in any of these areas since the Roadmap was published
that NIST should be aware of and take into account as it works to
advance the usefulness of the Framework?
Dated: August 21, 2014.
Willie E. May,
Associate Director for Laboratory Programs.
[FR Doc. 2014-20315 Filed 8-25-14; 8:45 am]
BILLING CODE 3510-13-P
