Proposed Update to the Framework for Improving Critical Infrastructure Cybersecurity, 8408-8409 [2017-01599]
Download as PDF
8408
Federal Register / Vol. 82, No. 15 / Wednesday, January 25, 2017 / Notices
materials contained in the fabric, regardless
of whether in roll form or cut-to-length,
regardless of weight, width (except as noted
above), or length. The investigation covers
industrial grade amorphous silica fabric
regardless of whether the product is
approved by a standards testing body (such
as being Factory Mutual (FM) Approved), or
regardless of whether it meets any
governmental specification.
Industrial grade amorphous silica fabric
may be produced in various colors. The
investigation covers industrial grade
amorphous silica fabric regardless of whether
the fabric is colored. Industrial grade
amorphous silica fabric may be coated or
treated with materials that include, but are
not limited to, oils, vermiculite, acrylic latex
compound, silicone, aluminized polyester
(Mylar®) film, pressure-sensitive adhesive, or
other coatings and treatments. The
investigation covers industrial grade
amorphous silica fabric regardless of whether
the fabric is coated or treated, and regardless
of coating or treatment weight as a percentage
of total product weight. Industrial grade
amorphous silica fabric may be heat-cleaned.
The investigation covers industrial grade
amorphous silica fabric regardless of whether
the fabric is heat-cleaned.
Industrial grade amorphous silica fabric
may be imported in rolls or may be cut-tolength and then further fabricated to make
welding curtains, welding blankets, welding
pads, fire blankets, fire pads, or fire screens.
Regardless of the name, all industrial grade
amorphous silica fabric that has been further
cut-to-length or cut-to-width or further
finished by finishing the edges and/or adding
grommets, is included within the scope of
this investigation.
Subject merchandise also includes (1) any
industrial grade amorphous silica fabric that
has been converted into industrial grade
amorphous silica fabric in China from
fiberglass cloth produced in a third country;
and (2) any industrial grade amorphous silica
fabric that has been further processed in a
third country prior to export to the United
States, including but not limited to treating,
coating, slitting, cutting to length, cutting to
width, finishing the edges, adding grommets,
or any other processing that would not
otherwise remove the merchandise from the
scope of the investigation if performed in the
country of manufacture of the in-scope
industrial grade amorphous silica fabric.
Excluded from the scope of the
investigation is amorphous silica fabric that
is subjected to controlled shrinkage, which is
also called ‘‘pre-shrunk’’ or ‘‘aerospace
grade’’ amorphous silica fabric. In order to be
excluded as a pre-shrunk or aerospace grade
amorphous silica fabric, the amorphous silica
fabric must meet the following exclusion
criteria: (1) The amorphous silica fabric must
contain a minimum of 98 percent silica
(SiO2) by nominal weight; (2) the amorphous
silica fabric must have an areal shrinkage of
4 percent or less; (3) the amorphous silica
fabric must contain no coatings or treatments;
and (4) the amorphous silica fabric must be
white in color. For purposes of this scope,
‘‘areal shrinkage’’ refers to the extent to
which a specimen of amorphous silica fabric
shrinks while subjected to heating at 1800
degrees F for 30 minutes.
Also excluded from the scope are
amorphous silica fabric rope and tubing (or
sleeving). Amorphous silica fabric rope is a
knitted or braided product made from
amorphous silica yarns. Silica tubing (or
sleeving) is braided into a hollow sleeve from
amorphous silica yarns.
The subject imports are normally classified
in subheadings 7019.59.4021, 7019.59.4096,
7019.59.9021, and 7019.59.9096 of the
Harmonized Tariff Schedule of the United
States (HTSUS), but may also enter under
HTSUS subheadings 7019.40.4030,
7019.40.4060, 7019.40.9030, 7019.40.9060,
7019.51.9010, 7019.51.9090, 7019.52.9010,
7019.52.9021, 7019.52.9096 and
7019.90.1000. HTSUS subheadings are
provided for convenience and customs
purposes only; the written description of the
scope of this investigation is dispositive.
update to the Framework for Improving
Critical Infrastructure Cybersecurity (the
‘‘Framework’’). The voluntary
Framework consists of standards,
methodologies, procedures, and
processes that align policy, business,
and technological approaches to address
cyber risks. The Framework was
published on February 12, 2014, after a
year-long, open process involving
private and public sector organizations,
including extensive input and public
comments. It has been used with
increasing frequency and in a variety of
ways by organizations of all sizes, areas
of interest, and based inside and outside
the United States.
This Request for Comments (RFC) is
meant to facilitate coordination with,
‘‘private sector personnel and entities,
critical infrastructure owners and
operators, and other relevant industry
organizations’’ as directed by the
Cybersecurity Enhancement Act of
2014.1 The proposed update to the
Framework is available for review at
https://www.nist.gov/cyberframework.
Responses to this RFC will be posted at
https://www.nist.gov/cyberframework
and will inform NIST’s planned update
to the Framework.
DATES:
BILLING CODE 3510–DS–P
DEPARTMENT OF COMMERCE
mstockstill on DSK3G9T082PROD with NOTICES
National Institute of Standards and
Technology
Proposed Update to the Framework for
Improving Critical Infrastructure
Cybersecurity
National Institute of Standards
and Technology, Commerce.
ACTION: Notice, request for comments.
AGENCY:
The National Institute of
Standards and Technology (NIST)
requests comments on a proposed
SUMMARY:
VerDate Sep<11>2014
20:29 Jan 24, 2017
Jkt 241001
1 See 15 U.S.C. 272(e)(1)(A)(i). The Cybersecurity
Enhancement Act of 2014 (S.1353) became public
law 113–274 on December 18, 2014 and may be
found at: https://www.congress.gov/bill/113thcongress/senate-bill/1353/text.
PO 00000
Frm 00013
Fmt 4703
Sfmt 4703
Written comments may be
submitted by mail to Edwin Games,
National Institute of Standards and
Technology, 100 Bureau Drive, Stop
8930, Gaithersburg, MD 20899. Online
submissions in electronic form may be
sent to cyberframework@nist.gov in any
of the following formats: HTML; ASCII;
Word; RTF; or PDF. Please submit
comments only and include your name,
organization’s name (if any), and cite
‘‘Comments on Draft Update of the
Framework for Improving Critical
Infrastructure Cybersecurity’’ in all
correspondence. Comments containing
references, studies, research, and other
empirical data that are not widely
published should include copies of the
referenced materials. The proposed
update to the Framework is available for
review at https://www.nist.gov/
cyberframework.
All comments received in response to
this RFC will be posted at https://
www.nist.gov/cyberframework without
change or redaction, so commenters
should not include information they do
not wish to be posted (e.g., personal or
confidential business information).
Comments that contain profanity,
vulgarity, threats, or other inappropriate
language will not be posted or
considered.
ADDRESSES:
E:\FR\FM\25JAN1.SGM
25JAN1
EN25JA17.090
[FR Doc. 2017–01635 Filed 1–24–17; 8:45 am]
Comments must be received by
5:00 p.m. Eastern time on April 10,
2017.
Federal Register / Vol. 82, No. 15 / Wednesday, January 25, 2017 / Notices
For
questions about this RFC contact: Adam
Sedgewick, U.S. Department of
Commerce, 1401 Constitution Avenue
NW., Washington, DC 20230, telephone
(202) 482–0788, email
Adam.Sedgewick@nist.gov. Please direct
media inquiries to NIST’s Office of
Public Affairs at (301) 975–2762.
SUPPLEMENTARY INFORMATION: The
national and economic security of the
United States depends on the reliable
functioning of critical infrastructure,2
which has become increasingly
dependent on information technology.
Cyber attacks and publicized
weaknesses reinforce the need for
improved capabilities for defending
against malicious cyber activity. This is
a long-term challenge.
The Secretary of Commerce was
tasked to direct the Director of NIST to
lead the development of a voluntary
framework to reduce cyber risks to
critical infrastructure (the
‘‘Framework’’).3 The Framework
consists of standards, methodologies,
procedures and processes that align
policy, business, and technological
approaches to address cyber risks. The
Framework was developed by NIST
using information collected through the
Request for Information (RFI) that was
published in the Federal Register on
February 25, 2013 (78 FR 13024), a
series of open public workshops, and a
45-day public comment period
announced in the Federal Register on
October 29, 2013 (78 FR 64478). It was
published on February 12, 2014, after a
year-long, open process involving
private and public sector organizations,
including extensive input and public
comments, and announced in the
Federal Register on February 18, 2014
(79 FR 9167). Responses to subsequent
RFIs, as announced through the Federal
Register (79 FR 50891 and 80 FR
76934), and workshops encouraged
NIST to update the Framework.
The Cybersecurity Framework
incorporates voluntary consensus
standards and industry best practices to
the fullest extent possible and is
consistent with voluntary international
mstockstill on DSK3G9T082PROD with NOTICES
FOR FURTHER INFORMATION CONTACT:
2 For the purposes of this RFC the term ‘‘critical
infrastructure’’ has the meaning given the term in
42 U.S.C. 5195c(e): ‘‘systems and assets, whether
physical or virtual, so vital to the United States that
the incapacity or destruction of such systems and
assets would have a debilitating impact on security,
national economic security, national public health
or safety, or any combination of those matters.’’
3 See Executive Order 13636, Improving Critical
Infrastructure Cybersecurity (Feb. 12, 2013), https://
www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/201303915.pdf. The Cybersecurity Framework may be
found at: https://www.nist.gov/sites/default/files/
documents/cyberframework/cybersecurityframework-021214.pdf.
VerDate Sep<11>2014
20:29 Jan 24, 2017
Jkt 241001
consensus-based standards when such
international standards advance the
objectives of the Cybersecurity
Enhancement Act of 2014. The
Framework is designed for compatibility
with existing regulatory authorities and
regulations, although it is intended for
voluntary adoption.
Given the diversity of sectors in the
Nation’s critical infrastructure, the
Framework development process was
designed to build on cross-sector
security standards and guidelines that
are immediately applicable or likely to
be applicable to critical infrastructure.
The process also was intended to
increase visibility and use of those
standards and guidelines, and to find
potential areas for improvement (e.g.,
where standards/guidelines are
nonexistent) that need to be addressed
through future collaboration with
industry and industry-led standards
bodies.
While the focus of the Framework is
on the Nation’s critical infrastructure, it
was developed in a manner to promote
wide adoption of practices to increase
risk management-based cybersecurity
across all industry sectors and by all
types of organizations.
NIST has worked closely with
industry groups, associations, nonprofits, government agencies, and
international standards bodies to
increase awareness of the Framework.
NIST has promoted the use of the
Framework as a basic, flexible, and
adaptable tool for managing and
reducing cybersecurity risks. The
Framework was designed as a
communication tool. It is applicable for
leaders at all levels of an organization.
For these reasons, NIST has engaged a
wide diversity of stakeholders in
Framework education. NIST has also
issued several RFIs, held workshops,
and encouraged direct communication
with potential and current users of the
Framework.
Based on the information received
from the public via these channels and
the work that it has carried out on
cybersecurity—including its
collaborative efforts with the private
sector—NIST has developed a draft
update of the Framework (termed
‘‘Version 1.1’’ or ‘‘V1.1’’), available at
https://www.nist.gov/cyberframework.
This draft update seeks to clarify, refine,
and enhance the Framework, and make
it easier to use, while retaining its
flexible, voluntary, and cost-effective
nature. The update also will be fully
compatible with the February 2014
version of the Framework in that either
version may be used by organizations
without degrading communication or
functionality.
PO 00000
Frm 00014
Fmt 4703
Sfmt 4703
8409
Request for Comments
NIST is soliciting public comments on
this proposed update. Specifically, NIST
is interested in comments that address
updated features of the Framework.
These features seek to:
• Clarify Implementation Tier use
and relationship to Profiles,
• Enhance guidance for applying the
Framework for supply chain risk
management,
• Provide guidance on metrics and
measurements using the Framework,
• Update the FAQs to support
understanding and use of Framework,
and
• Update the Informative References.
NIST also will consider comments on
other aspects of the Framework update.
All comments will be made available to
the public. These comments will be
analyzed and will be one focus of a
public workshop to be held in May
2017. Details about that workshop,
which also will feature user experiences
with the Framework, will be announced
on the NIST Cybersecurity Framework
Web site at: https://www.nist.gov/
cyberframework. To receive notice about
the workshop, please contact:
cyberframework@nist.gov.
After the May 2017 workshop and
considering the comments received on
this draft update, NIST intends to issue
a final version of Framework V1.1 along
with an updated Roadmap 4 document
that describes recommended activities
in work areas that are related and
complimentary to the Framework.
Kevin Kimball,
NIST Chief of Staff.
[FR Doc. 2017–01599 Filed 1–24–17; 8:45 am]
BILLING CODE 3510–13–P
CONSUMER PRODUCT SAFETY
COMMISSION
[Docket No. CPSC–2010–0055]
Agency Information Collection
Activities; Proposed Collection;
Comment Request; Standard for the
Flammability of Mattresses and
Mattress Pads and Standard for the
Flammability (Open Flame) of Mattress
Sets
Consumer Product Safety
Commission.
ACTION: Notice.
AGENCY:
As required by the Paperwork
Reduction Act of 1995, the Consumer
Product Safety Commission (CPSC, or
SUMMARY:
4 The Cybersecurity Framework Roadmap may be
found at: https://www.nist.gov/sites/default/files/
documents/cyberframework/roadmap-021214.pdf.
E:\FR\FM\25JAN1.SGM
25JAN1
Agencies
[Federal Register Volume 82, Number 15 (Wednesday, January 25, 2017)]
[Notices]
[Pages 8408-8409]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-01599]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
Proposed Update to the Framework for Improving Critical
Infrastructure Cybersecurity
AGENCY: National Institute of Standards and Technology, Commerce.
ACTION: Notice, request for comments.
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST)
requests comments on a proposed update to the Framework for Improving
Critical Infrastructure Cybersecurity (the ``Framework''). The
voluntary Framework consists of standards, methodologies, procedures,
and processes that align policy, business, and technological approaches
to address cyber risks. The Framework was published on February 12,
2014, after a year-long, open process involving private and public
sector organizations, including extensive input and public comments. It
has been used with increasing frequency and in a variety of ways by
organizations of all sizes, areas of interest, and based inside and
outside the United States.
This Request for Comments (RFC) is meant to facilitate coordination
with, ``private sector personnel and entities, critical infrastructure
owners and operators, and other relevant industry organizations'' as
directed by the Cybersecurity Enhancement Act of 2014.\1\ The proposed
update to the Framework is available for review at https://www.nist.gov/cyberframework. Responses to this RFC will be posted at https://www.nist.gov/cyberframework and will inform NIST's planned update to
the Framework.
---------------------------------------------------------------------------
\1\ See 15 U.S.C. 272(e)(1)(A)(i). The Cybersecurity Enhancement
Act of 2014 (S.1353) became public law 113-274 on December 18, 2014
and may be found at: https://www.congress.gov/bill/113th-congress/senate-bill/1353/text.
DATES: Comments must be received by 5:00 p.m. Eastern time on April 10,
---------------------------------------------------------------------------
2017.
ADDRESSES: Written comments may be submitted by mail to Edwin Games,
National Institute of Standards and Technology, 100 Bureau Drive, Stop
8930, Gaithersburg, MD 20899. Online submissions in electronic form may
be sent to cyberframework@nist.gov in any of the following formats:
HTML; ASCII; Word; RTF; or PDF. Please submit comments only and include
your name, organization's name (if any), and cite ``Comments on Draft
Update of the Framework for Improving Critical Infrastructure
Cybersecurity'' in all correspondence. Comments containing references,
studies, research, and other empirical data that are not widely
published should include copies of the referenced materials. The
proposed update to the Framework is available for review at https://www.nist.gov/cyberframework.
All comments received in response to this RFC will be posted at
https://www.nist.gov/cyberframework without change or redaction, so
commenters should not include information they do not wish to be posted
(e.g., personal or confidential business information). Comments that
contain profanity, vulgarity, threats, or other inappropriate language
will not be posted or considered.
[[Page 8409]]
FOR FURTHER INFORMATION CONTACT: For questions about this RFC contact:
Adam Sedgewick, U.S. Department of Commerce, 1401 Constitution Avenue
NW., Washington, DC 20230, telephone (202) 482-0788, email
Adam.Sedgewick@nist.gov. Please direct media inquiries to NIST's Office
of Public Affairs at (301) 975-2762.
SUPPLEMENTARY INFORMATION: The national and economic security of the
United States depends on the reliable functioning of critical
infrastructure,\2\ which has become increasingly dependent on
information technology. Cyber attacks and publicized weaknesses
reinforce the need for improved capabilities for defending against
malicious cyber activity. This is a long-term challenge.
---------------------------------------------------------------------------
\2\ For the purposes of this RFC the term ``critical
infrastructure'' has the meaning given the term in 42 U.S.C.
5195c(e): ``systems and assets, whether physical or virtual, so
vital to the United States that the incapacity or destruction of
such systems and assets would have a debilitating impact on
security, national economic security, national public health or
safety, or any combination of those matters.''
---------------------------------------------------------------------------
The Secretary of Commerce was tasked to direct the Director of NIST
to lead the development of a voluntary framework to reduce cyber risks
to critical infrastructure (the ``Framework'').\3\ The Framework
consists of standards, methodologies, procedures and processes that
align policy, business, and technological approaches to address cyber
risks. The Framework was developed by NIST using information collected
through the Request for Information (RFI) that was published in the
Federal Register on February 25, 2013 (78 FR 13024), a series of open
public workshops, and a 45-day public comment period announced in the
Federal Register on October 29, 2013 (78 FR 64478). It was published on
February 12, 2014, after a year-long, open process involving private
and public sector organizations, including extensive input and public
comments, and announced in the Federal Register on February 18, 2014
(79 FR 9167). Responses to subsequent RFIs, as announced through the
Federal Register (79 FR 50891 and 80 FR 76934), and workshops
encouraged NIST to update the Framework.
---------------------------------------------------------------------------
\3\ See Executive Order 13636, Improving Critical Infrastructure
Cybersecurity (Feb. 12, 2013), https://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf. The Cybersecurity Framework may be
found at: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf.
---------------------------------------------------------------------------
The Cybersecurity Framework incorporates voluntary consensus
standards and industry best practices to the fullest extent possible
and is consistent with voluntary international consensus-based
standards when such international standards advance the objectives of
the Cybersecurity Enhancement Act of 2014. The Framework is designed
for compatibility with existing regulatory authorities and regulations,
although it is intended for voluntary adoption.
Given the diversity of sectors in the Nation's critical
infrastructure, the Framework development process was designed to build
on cross-sector security standards and guidelines that are immediately
applicable or likely to be applicable to critical infrastructure. The
process also was intended to increase visibility and use of those
standards and guidelines, and to find potential areas for improvement
(e.g., where standards/guidelines are nonexistent) that need to be
addressed through future collaboration with industry and industry-led
standards bodies.
While the focus of the Framework is on the Nation's critical
infrastructure, it was developed in a manner to promote wide adoption
of practices to increase risk management-based cybersecurity across all
industry sectors and by all types of organizations.
NIST has worked closely with industry groups, associations, non-
profits, government agencies, and international standards bodies to
increase awareness of the Framework. NIST has promoted the use of the
Framework as a basic, flexible, and adaptable tool for managing and
reducing cybersecurity risks. The Framework was designed as a
communication tool. It is applicable for leaders at all levels of an
organization. For these reasons, NIST has engaged a wide diversity of
stakeholders in Framework education. NIST has also issued several RFIs,
held workshops, and encouraged direct communication with potential and
current users of the Framework.
Based on the information received from the public via these
channels and the work that it has carried out on cybersecurity--
including its collaborative efforts with the private sector--NIST has
developed a draft update of the Framework (termed ``Version 1.1'' or
``V1.1''), available at https://www.nist.gov/cyberframework. This draft
update seeks to clarify, refine, and enhance the Framework, and make it
easier to use, while retaining its flexible, voluntary, and cost-
effective nature. The update also will be fully compatible with the
February 2014 version of the Framework in that either version may be
used by organizations without degrading communication or functionality.
Request for Comments
NIST is soliciting public comments on this proposed update.
Specifically, NIST is interested in comments that address updated
features of the Framework. These features seek to:
Clarify Implementation Tier use and relationship to
Profiles,
Enhance guidance for applying the Framework for supply
chain risk management,
Provide guidance on metrics and measurements using the
Framework,
Update the FAQs to support understanding and use of
Framework, and
Update the Informative References.
NIST also will consider comments on other aspects of the Framework
update. All comments will be made available to the public. These
comments will be analyzed and will be one focus of a public workshop to
be held in May 2017. Details about that workshop, which also will
feature user experiences with the Framework, will be announced on the
NIST Cybersecurity Framework Web site at: https://www.nist.gov/cyberframework. To receive notice about the workshop, please contact:
cyberframework@nist.gov.
After the May 2017 workshop and considering the comments received
on this draft update, NIST intends to issue a final version of
Framework V1.1 along with an updated Roadmap \4\ document that
describes recommended activities in work areas that are related and
complimentary to the Framework.
---------------------------------------------------------------------------
\4\ The Cybersecurity Framework Roadmap may be found at: https://www.nist.gov/sites/default/files/documents/cyberframework/roadmap-021214.pdf.
Kevin Kimball,
NIST Chief of Staff.
[FR Doc. 2017-01599 Filed 1-24-17; 8:45 am]
BILLING CODE 3510-13-P