Evaluating and Improving NIST Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management, 9579-9581 [2022-03642]
Download as PDF
<![CDATA[
Federal Register / Vol. 87, No. 35 / Tuesday, February 22, 2022 / Notices
assembly or boom assembly. Forklifts are
material handling vehicles with a working
attachment, usually a fork, lifted along a
vertical guide rail with the operator seated or
standing on the chassis behind the vertical
mast. Vertical mast lifts are person and
material lifting vehicles with a working
attachment, usually a platform, lifted along a
vertical guide rail with an operator standing
on the platform. Mobile self-propelled cranes
are material handling vehicles with a boom
attachment for lifting loads of tools or
materials that are suspended on ropes,
cables, and/or chains, and which contain
winches mounted on or near the base of the
boom with ropes, cables, and/or chains
managed along the boom structure. The
scope also excludes motor vehicles (defined
as a vehicle driven or drawn by mechanical
power and manufactured primarily for use on
public streets, roads, and highways, but does
not include a vehicle operated only on a rail
line pursuant to 49 U.S.C. 30102(a)(7)) that
incorporate a scissor arm assembly or boom
assembly. The scope further excludes
vehicles driven or drawn by mechanical
power operated only on a rail line that
incorporate a scissor arm assembly or boom
assembly. The scope also excludes: (1) Rail
line vehicles, defined as vehicles with hi-rail
gear or track wheels, and a fixed (nontelescopic) main boom, which perform
operations on rail lines, such as laying rails,
setting ties, or other rail maintenance jobs;
and (2) certain rail line vehicle
subassemblies, defined as chassis
subassemblies and boom turntable
subassemblies for rail line vehicles with a
fixed (non-telescopic) main boom.
Certain mobile access equipment subject to
this investigation is typically classifiable
under subheadings 8427.10.8020,
8427.10.8030, 8427.10.8070, 8427.10.8095,
8427.20.8020, 8427.20.8090, 8427.90.0020
and 8427.90.0090 of the Harmonized Tariff
Schedule of the United States (HTSUS). Parts
of certain mobile access equipment are
typically classifiable under subheading
8431.20.0000 of the HTSUS. While the
HTSUS subheadings are provided for
convenience and customs purposes only, the
written description of the merchandise under
investigation is dispositive.
lotter on DSK11XQN23PROD with NOTICES1
Appendix II
List of Topics Discussed in the Issues and
Decision Memorandum
I. Summary
II. Background
III. Period of Investigation
IV. Scope of Investigation
V. Adjustment Under Section 777A(f) of the
Act
VI. Adjustment to Cash Deposit Rate For
Export Subsidies
VII. Changes Since the Preliminary
Determination
VIII. Discussion of the Issues
Issues Related to Dingli
Comment 1: Should China to the United
States Ocean Freight Surrogate Values
(SVs) be Revised
Comment 2: Should World to Brazil Ocean
Freight SVs be Revised
Comment 3: Should Commerce Multiply
the Value of Marine Insurance to Cover
VerDate Sep<11>2014
19:42 Feb 18, 2022
Jkt 256001
110 percent of the Total Value of the
Goods Shipped
Comment 4: Should Commerce Include
Research and Development Expenses in
General and Administrative Expenses for
Further Manufacturing
Comment 5: Should Commerce Reject
Dingli’s Submission of Untimely New
Factual Information
Comment 6: Should Commerce Make
Revisions to its SVs for Dingli’s Inputs
for the Final Determination
Comment 7: Should Commerce Value
Certain Inputs that Include Alloy and
Non-Alloy Harmonized Tariff Schedule
Headings Based on a Simple Average of
SVs
Comment 8: Whether Commerce’s
Application of the Cohen’s-d Test to
Dingli’s U.S. Sales is Unsupported by
Substantial Evidence and Controlling
Law
Issues Related LGMG
Comment 9: Should Commerce Revise its
SVs for LGMG’s Inputs for the Final
Determination
Comment 10: Should Commerce Apply
Circumstance of Sale Adjustments to
Certain LGMG Sales for the Final
Determination
Issues Related to Dingli and LGMG
Comment 11: Should Commerce Deduct
Section 301 Duties from U.S. Sales Prices
in Calculating Dingli’s and LGMG’s
Dumping Margin
Issues Related to Skyjack Inc. (Skyjack)
Comment 12: Whether Skyjack is Entitled
to a Separate Rate
IX. Recommendation
[FR Doc. 2022–03660 Filed 2–18–22; 8:45 am]
BILLING CODE 3510–DS–P
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
[Docket Number: 220210–0045]
Evaluating and Improving NIST
Cybersecurity Resources: The
Cybersecurity Framework and
Cybersecurity Supply Chain Risk
Management
National Institute of Standards
and Technology (NIST), Commerce.
ACTION: Notice; request for information.
AGENCY:
The National Institute of
Standards and Technology (NIST) is
seeking information to assist in
evaluating and improving its
cybersecurity resources, including the
‘‘Framework for Improving Critical
Infrastructure Cybersecurity’’ (the
‘‘NIST Cybersecurity Framework,’’
‘‘CSF’’ or ‘‘Framework’’) and a variety of
existing and potential standards,
guidelines, and other information,
including those relating to improving
cybersecurity in supply chains. NIST is
SUMMARY:
PO 00000
Frm 00017
Fmt 4703
Sfmt 4703
9579
considering updating the NIST
Cybersecurity Framework to account for
the changing landscape of cybersecurity
risks, technologies, and resources. In
addition, NIST recently announced it
would launch the National Initiative for
Improving Cybersecurity in Supply
Chains (NIICS) to address cybersecurity
risks in supply chains. This wideranging public-private partnership will
focus on identifying tools and guidance
for technology developers and
providers, as well as performanceoriented guidance for those acquiring
such technology. To inform the
direction of the NIICS, including how it
might be aligned and integrated with the
Cybersecurity Framework, NIST is
requesting information that will support
the identification and prioritization of
supply chain-related cybersecurity
needs across sectors. Responses to this
RFI will inform a possible revision of
the Cybersecurity Framework as well as
the NIICS initiative.
DATES: Comments in response to this
notice must be received by April 25,
2022. Submissions received after that
date may not be considered.
Comments may be submitted by any
of the following methods:
Electronic submission: Submit
electronic public comments via the
Federal e-Rulemaking Portal.
1. Go to www.regulations.gov and
enter NIST–2022–0001 in the search
field,
2. Click the ‘‘Comment Now!’’ icon,
complete the required fields, and
3. Enter or attach your comments.
Electronic submissions may also be
sent as an attachment to CSF-SCRMRFI@nist.gov and may be in any of the
following unlocked formats: HTML;
ASCII; Word; RTF; or PDF. Please
submit comments only and include your
name, organization’s name (if any), and
cite ‘‘NIST Cybersecurity RFI’’ in all
correspondence. Comments containing
references, studies, research, and other
empirical data that are not widely
published should include copies of the
referenced materials. Please do not
submit additional materials.
Comments received by the deadline
may be posted at www.regulations.gov
and https://www.nist.gov/
cyberframework. All submissions,
including attachments and other
supporting materials, may become part
of the public record and may be subject
to public disclosure. NIST reserves the
right to publish relevant comments
publicly, unedited and in their entirety.
Personal information, such as account
numbers or Social Security numbers, or
names of other individuals, should not
be included. Do not submit confidential
E:\FR\FM\22FEN1.SGM
22FEN1
lotter on DSK11XQN23PROD with NOTICES1
9580
Federal Register / Vol. 87, No. 35 / Tuesday, February 22, 2022 / Notices
business information, or otherwise
sensitive or protected information.
Comments that contain profanity,
vulgarity, threats, or other inappropriate
language or content will not be
considered.
FOR FURTHER INFORMATION CONTACT: For
questions about this RFI contact: CSFSCRM-RFI@nist.gov or Katherine
MacFarland, National Institute of
Standards and Technology, 100 Bureau
Drive, Stop 2000, Gaithersburg, MD
20899; (301) 975–3359. Direct media
inquiries to NIST’s Office of Public
Affairs at (301) 975–2762. Users of
telecommunication devices for the deaf,
or a text telephone, may call the Federal
Relay Service, toll free at 1–800–877–
8339.
Accessible Format: NIST will make
the RFI available in alternate formats,
such as Braille or large print, upon
request by persons with disabilities.
SUPPLEMENTARY INFORMATION: The NIST
Cybersecurity Framework consists of
standards, methodologies, procedures,
and processes that align policy,
business, and technological approaches
to reduce cybersecurity risks. It is used
widely by private and public sector
organizations in and outside of the
United States and has been translated
into multiple languages, speaking to its
success as a common resource.
The Cybersecurity Framework was
last updated in April 2018. Much has
changed in the cybersecurity landscape
in terms of threats, capabilities,
technologies, education and workforce,
and the availability of resources to help
organizations to better manage
cybersecurity risk. That includes an
increased awareness of and emphasis on
cybersecurity risks in supply chains,
including a decision to launch NIICS.
With those changes in mind, NIST seeks
to build on its efforts to cultivate trust
by advancing cybersecurity and privacy
standards and guidelines, technology,
measurements, and practices by
requesting information about the use,
adequacy, and timeliness of the
Cybersecurity Framework and the
degree to which other NIST resources
are used in conjunction with or instead
of the Framework. Further, to inform the
direction of the NIICS, including how it
might be aligned and integrated with the
Cybersecurity Framework, NIST is
requesting information that will support
the identification and prioritization of
supply chain-related cybersecurity
needs across sectors.
Following is a non-exhaustive list of
possible topics that may be addressed in
any comments. Comments may address
topics in the following list, or any other
topic believed to have implications for
VerDate Sep<11>2014
19:42 Feb 18, 2022
Jkt 256001
the improvement of the NIST
Cybersecurity Framework or NIST’s
cybersecurity guidance regarding supply
chains. NIST will consider all relevant
comments in the development of the
revised Framework and guidance
regarding supply chains.
Use of the NIST Cybersecurity
Framework
1. The usefulness of the NIST
Cybersecurity Framework for aiding
organizations in organizing
cybersecurity efforts via the five
functions in the Framework and actively
managing risks using those five
functions.
2. Current benefits of using the NIST
Cybersecurity Framework. Are
communications improved within and
between organizations and entities (e.g.,
supply chain partners, customers, or
insurers)? Does the Framework allow for
better assessment of risks, more effective
management of risks, and/or increase
the number of potential ways to manage
risks? What might be relevant metrics
for improvements to cybersecurity as a
result of implementation of the
Framework?
3. Challenges that may prevent
organizations from using the NIST
Cybersecurity Framework or using it
more easily or extensively (e.g., resource
considerations, information sharing
restrictions, organizational factors,
workforce gaps, or complexity).
4. Any features of the NIST
Cybersecurity Framework that should be
changed, added, or removed. These
might include additions or
modifications of: Functions, Categories,
or Subcategories; Tiers; Profile
Templates; references to standards,
frameworks, models, and guidelines;
guidance on how to use the
Cybersecurity Framework; or references
to critical infrastructure versus the
Framework’s broader use.
5. Impact to the usability and
backward compatibility of the NIST
Cybersecurity Framework if the
structure of the framework such as
Functions, Categories, Subcategories,
etc. is modified or changed.
6. Additional ways in which NIST
could improve the Cybersecurity
Framework, or make it more useful.
Relationship of the NIST Cybersecurity
Framework to Other Risk Management
Resources
7. Suggestions for improving
alignment or integration of the
Cybersecurity Framework with other
NIST risk management resources. As
part of the response, please indicate
benefits and challenges of using these
resources alone or in conjunction with
PO 00000
Frm 00018
Fmt 4703
Sfmt 4703
the Cybersecurity Framework. These
resources include:
• Risk management resources such as
the NIST Risk Management Framework,
the NIST Privacy Framework, and
Integrating Cybersecurity and Enterprise
Risk Management (NISTIR 8286).
• Trustworthy technology resources
such as the NIST Secure Software
Development Framework, the NIST
Internet of Things (IoT) Cybersecurity
Capabilities Baseline, and the Guide to
Industrial Control System
Cybersecurity.
• Workforce management resources
such as the National Initiative for
Cybersecurity Education (NICE)
Workforce Framework for
Cybersecurity.
8. Use of non-NIST frameworks or
approaches in conjunction with the
NIST Cybersecurity Framework. Are
there commonalities or conflicts
between the NIST framework and other
voluntary, consensus resources? Are
there commonalities or conflicts
between the NIST framework and
cybersecurity-related mandates or
resources from government agencies?
Are there ways to improve alignment or
integration of the NIST framework with
other frameworks, such as international
approaches like the ISO/IEC 27000series, including ISO/IEC TS 27110?
9. There are numerous examples of
international adaptations of the
Cybersecurity Framework by other
countries. The continued use of
international standards for
cybersecurity, with a focus on
interoperability, security, usability, and
resilience can promote innovation and
competitiveness while enabling
organizations to more easily and
effectively integrate new technologies
and services. Given this importance,
what steps should NIST consider to
ensure any update increases
international use of the Cybersecurity
Framework?
10. References that should be
considered for inclusion within NIST’s
Online Informative References Program.
This program is an effort to define
standardized relationships between
NIST and industry resources and
elements of documents, products, and
services and various NIST documents
such as the NIST Cybersecurity
Framework, NIST Privacy Framework,
Security and Privacy Controls for
Information Systems and Organizations
(NIST Special Publication 800–53),
NIST Secure Software Development
Framework, and the NIST Internet of
Things (IoT) Cybersecurity Capabilities
Baseline.
E:\FR\FM\22FEN1.SGM
22FEN1
Federal Register / Vol. 87, No. 35 / Tuesday, February 22, 2022 / Notices
Cybersecurity Supply Chain Risk
Management
DEPARTMENT OF COMMERCE
lotter on DSK11XQN23PROD with NOTICES1
11. National Initiative for Improving
Cybersecurity in Supply Chains (NIICS).
What are the greatest challenges related
to the cybersecurity aspects of supply
chain risk management that the NIICS
could address? How can NIST build on
its current work on supply chain
security, including software security
work stemming from E.O. 14028, to
increase trust and assurance in
technology products, devices, and
services?
12. Approaches, tools, standards,
guidelines, or other resources necessary
for managing cybersecurity-related risks
in supply chains. NIST welcomes input
on such resources in narrowly defined
areas (e.g. pieces of hardware or
software assurance or assured services,
or specific to only one or two sectors)
that may be useful to utilize more
broadly; potential low risk, high reward
resources that could be facilitated across
diverse disciplines, sectors, or
stakeholders; as well as large-scale and
extremely difficult areas.
13. Are there gaps observed in
existing cybersecurity supply chain risk
management guidance and resources,
including how they apply to
information and communications
technology, operational technology, IoT,
and industrial IoT? In addition, do NIST
software and supply chain guidance and
resources appropriately address
cybersecurity challenges associated with
open-source software? Are there
additional approaches, tools, standards,
guidelines, or other resources that NIST
should consider to achieve greater
assurance throughout the software
supply chain, including for open-source
software?
14. Integration of Framework and
Cybersecurity Supply Chain Risk
Management Guidance. Whether and
how cybersecurity supply chain risk
management considerations might be
further integrated into an updated NIST
Cybersecurity Framework—or whether
and how a new and separate framework
focused on cybersecurity supply chain
risk management might be valuable and
more appropriately be developed by
NIST.
Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2022–03642 Filed 2–18–22; 8:45 am]
BILLING CODE 3510–13–P
VerDate Sep<11>2014
19:42 Feb 18, 2022
Jkt 256001
National Oceanic and Atmospheric
Administration
[RTID 0648–XB822]
Western Pacific Fishery Management
Council; Public Meetings
National Marine Fisheries
Service (NMFS), National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
ACTION: Notice of public meetings.
AGENCY:
The Western Pacific Fishery
Management Council (Council) will
hold its American Samoa Fishery
Archipelago Fishery Ecosystem Plan
(FEP) Advisory Panel (AP), Mariana
Archipelago FEP-Commonwealth of the
Northern Mariana Islands (CNMI) AP,
Mariana Archipelago FEP-Guam AP,
Fishing Industry Advisory Committee
(FIAC), and the Hawaii Archipelago FEP
AP to discuss and make
recommendations on fishery
management issues in the Western
Pacific Region.
DATES: The meetings will be held
between March 8 and March 11, 2022.
For specific times and agendas, see
SUPPLEMENTARY INFORMATION.
ADDRESSES: The meetings will be held
by web conference via Webex.
Instructions for connecting to the web
conference and providing oral public
comments will be posted on the Council
website at www.wpcouncil.org. For
assistance with the web conference
connection, contact the Council office at
(808) 522–8220.
FOR FURTHER INFORMATION CONTACT:
Kitty M. Simonds, Executive Director,
Western Pacific Fishery Management
Council; phone: (808) 522–8220.
SUPPLEMENTARY INFORMATION: The
American Samoa Archipelago FEP AP
will meet on Tuesday, March 8, 2022,
from 6 p.m. to 8 p.m., The Mariana
Archipelago FEP–CNMI AP will meet
on Thursday, March 10, 2022, from 9
a.m. to 11 a.m., the Mariana Archipelago
FEP-Guam AP will meet on Thursday
March 10, 2022, from 6:30 p.m. to 8:30
p.m., the FIAC will meet on Thursday,
March 10, 2022, from 2 p.m. to 5 p.m.,
and the Hawaii Archipelago FEP AP
will meet on Friday, March 11, from 9
a.m. to 12 noon. All times listed are
local island times expect for the FIAC
which is in Hawaii Standard Time.
Public Comment periods will be
provided in the agendas. The order in
which agenda items are addressed may
change. The meetings will run as late as
necessary to complete scheduled
business.
SUMMARY:
PO 00000
Frm 00019
Fmt 4703
Sfmt 4703
9581
Schedule and Agenda for the American
Samoa Archipelago AP Meeting
Tuesday, March 8, 2022, 6 p.m.–8 p.m.
(American Samoa Standard Time)
1. Welcome and Introductions
2. Review of Last AP Meeting and
Recommendations
3. American Samoa (AS) Fishery Issues
and Activities
A. Bottomfish
i. Options for Revising the Territorial
Bottomfish Management Unit
Species (BMUS)
ii. American Samoa Bottomfish Data
Workshop
B. Council Coordination Committee
(CCC) Working Group on Equity
and Environmental Justice (EEJ)
C. Fishery Biological Opinions
(BiOPs) Update
4. 2022 AP Activities Plan
A. Update on Sustainable Fisheries
Fund Projects
B. Catchit Logit (CILI) Update
C. Education and Outreach
5. Feedback From The Fleet
A. AS Fishermen Observations
B. AP Fishery Issues and Activities
6. Public Comment
7. Discussion and Recommendations
8. Other Business
Schedule and Agenda for the Mariana
Archipelago-CNMI AP Meeting
Thursday, March 10, 2022, 9 a.m.–11
a.m. (Marianas Standard Time)
1. Welcome and Introductions
2. Review of Last AP Meeting and
Recommendations
3. CNMI Fishery Issues and Activities
A. Bottomfish
i. Options for Revising the Territorial
BMUS
ii. Fishery BiOPs Update
B. Marianas Sanctuary Nomination
C. CILI Updates
D. CCC Working Group on EEJ
4. 2022 Advisory Panel Activities Plan
A. AP Outreach and Education
5. Feedback From The Fleet
A. CNMI Fishermen Observations
B. AP Fishery Issues and Activities
6. Discussion and Recommendations
7. Other Business
Schedule and Agenda for the Mariana
Archipelago-Guam AP Meeting
Thursday, March 10, 2022, 6:30 p.m.–
8:30 p.m. (Marianas Standard Time)
1. Welcome and Introductions
2. Review of Last AP Meeting and
Recommendations
3. Guam Fishery Issues and Activities
A. Bottomfish
i. Options for Revising the Territorial
BMUS
ii. Fishery BiOPs Update
E:\FR\FM\22FEN1.SGM
22FEN1
]]>Agencies
[Federal Register Volume 87, Number 35 (Tuesday, February 22, 2022)]
[Notices]
[Pages 9579-9581]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-03642]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket Number: 220210-0045]
Evaluating and Improving NIST Cybersecurity Resources: The
Cybersecurity Framework and Cybersecurity Supply Chain Risk Management
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice; request for information.
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST) is
seeking information to assist in evaluating and improving its
cybersecurity resources, including the ``Framework for Improving
Critical Infrastructure Cybersecurity'' (the ``NIST Cybersecurity
Framework,'' ``CSF'' or ``Framework'') and a variety of existing and
potential standards, guidelines, and other information, including those
relating to improving cybersecurity in supply chains. NIST is
considering updating the NIST Cybersecurity Framework to account for
the changing landscape of cybersecurity risks, technologies, and
resources. In addition, NIST recently announced it would launch the
National Initiative for Improving Cybersecurity in Supply Chains
(NIICS) to address cybersecurity risks in supply chains. This wide-
ranging public-private partnership will focus on identifying tools and
guidance for technology developers and providers, as well as
performance-oriented guidance for those acquiring such technology. To
inform the direction of the NIICS, including how it might be aligned
and integrated with the Cybersecurity Framework, NIST is requesting
information that will support the identification and prioritization of
supply chain-related cybersecurity needs across sectors. Responses to
this RFI will inform a possible revision of the Cybersecurity Framework
as well as the NIICS initiative.
DATES: Comments in response to this notice must be received by April
25, 2022. Submissions received after that date may not be considered.
Comments may be submitted by any of the following methods:
Electronic submission: Submit electronic public comments via the
Federal e-Rulemaking Portal.
1. Go to www.regulations.gov and enter NIST-2022-0001 in the search
field,
2. Click the ``Comment Now!'' icon, complete the required fields,
and
3. Enter or attach your comments.
Electronic submissions may also be sent as an attachment to [email protected] and may be in any of the following unlocked formats:
HTML; ASCII; Word; RTF; or PDF. Please submit comments only and include
your name, organization's name (if any), and cite ``NIST Cybersecurity
RFI'' in all correspondence. Comments containing references, studies,
research, and other empirical data that are not widely published should
include copies of the referenced materials. Please do not submit
additional materials.
Comments received by the deadline may be posted at
www.regulations.gov and https://www.nist.gov/cyberframework. All
submissions, including attachments and other supporting materials, may
become part of the public record and may be subject to public
disclosure. NIST reserves the right to publish relevant comments
publicly, unedited and in their entirety. Personal information, such as
account numbers or Social Security numbers, or names of other
individuals, should not be included. Do not submit confidential
[[Page 9580]]
business information, or otherwise sensitive or protected information.
Comments that contain profanity, vulgarity, threats, or other
inappropriate language or content will not be considered.
FOR FURTHER INFORMATION CONTACT: For questions about this RFI contact:
[email protected] or Katherine MacFarland, National Institute of
Standards and Technology, 100 Bureau Drive, Stop 2000, Gaithersburg, MD
20899; (301) 975-3359. Direct media inquiries to NIST's Office of
Public Affairs at (301) 975-2762. Users of telecommunication devices
for the deaf, or a text telephone, may call the Federal Relay Service,
toll free at 1-800-877-8339.
Accessible Format: NIST will make the RFI available in alternate
formats, such as Braille or large print, upon request by persons with
disabilities.
SUPPLEMENTARY INFORMATION: The NIST Cybersecurity Framework consists of
standards, methodologies, procedures, and processes that align policy,
business, and technological approaches to reduce cybersecurity risks.
It is used widely by private and public sector organizations in and
outside of the United States and has been translated into multiple
languages, speaking to its success as a common resource.
The Cybersecurity Framework was last updated in April 2018. Much
has changed in the cybersecurity landscape in terms of threats,
capabilities, technologies, education and workforce, and the
availability of resources to help organizations to better manage
cybersecurity risk. That includes an increased awareness of and
emphasis on cybersecurity risks in supply chains, including a decision
to launch NIICS. With those changes in mind, NIST seeks to build on its
efforts to cultivate trust by advancing cybersecurity and privacy
standards and guidelines, technology, measurements, and practices by
requesting information about the use, adequacy, and timeliness of the
Cybersecurity Framework and the degree to which other NIST resources
are used in conjunction with or instead of the Framework. Further, to
inform the direction of the NIICS, including how it might be aligned
and integrated with the Cybersecurity Framework, NIST is requesting
information that will support the identification and prioritization of
supply chain-related cybersecurity needs across sectors.
Following is a non-exhaustive list of possible topics that may be
addressed in any comments. Comments may address topics in the following
list, or any other topic believed to have implications for the
improvement of the NIST Cybersecurity Framework or NIST's cybersecurity
guidance regarding supply chains. NIST will consider all relevant
comments in the development of the revised Framework and guidance
regarding supply chains.
Use of the NIST Cybersecurity Framework
1. The usefulness of the NIST Cybersecurity Framework for aiding
organizations in organizing cybersecurity efforts via the five
functions in the Framework and actively managing risks using those five
functions.
2. Current benefits of using the NIST Cybersecurity Framework. Are
communications improved within and between organizations and entities
(e.g., supply chain partners, customers, or insurers)? Does the
Framework allow for better assessment of risks, more effective
management of risks, and/or increase the number of potential ways to
manage risks? What might be relevant metrics for improvements to
cybersecurity as a result of implementation of the Framework?
3. Challenges that may prevent organizations from using the NIST
Cybersecurity Framework or using it more easily or extensively (e.g.,
resource considerations, information sharing restrictions,
organizational factors, workforce gaps, or complexity).
4. Any features of the NIST Cybersecurity Framework that should be
changed, added, or removed. These might include additions or
modifications of: Functions, Categories, or Subcategories; Tiers;
Profile Templates; references to standards, frameworks, models, and
guidelines; guidance on how to use the Cybersecurity Framework; or
references to critical infrastructure versus the Framework's broader
use.
5. Impact to the usability and backward compatibility of the NIST
Cybersecurity Framework if the structure of the framework such as
Functions, Categories, Subcategories, etc. is modified or changed.
6. Additional ways in which NIST could improve the Cybersecurity
Framework, or make it more useful.
Relationship of the NIST Cybersecurity Framework to Other Risk
Management Resources
7. Suggestions for improving alignment or integration of the
Cybersecurity Framework with other NIST risk management resources. As
part of the response, please indicate benefits and challenges of using
these resources alone or in conjunction with the Cybersecurity
Framework. These resources include:
Risk management resources such as the NIST Risk Management
Framework, the NIST Privacy Framework, and Integrating Cybersecurity
and Enterprise Risk Management (NISTIR 8286).
Trustworthy technology resources such as the NIST Secure
Software Development Framework, the NIST Internet of Things (IoT)
Cybersecurity Capabilities Baseline, and the Guide to Industrial
Control System Cybersecurity.
Workforce management resources such as the National
Initiative for Cybersecurity Education (NICE) Workforce Framework for
Cybersecurity.
8. Use of non-NIST frameworks or approaches in conjunction with the
NIST Cybersecurity Framework. Are there commonalities or conflicts
between the NIST framework and other voluntary, consensus resources?
Are there commonalities or conflicts between the NIST framework and
cybersecurity-related mandates or resources from government agencies?
Are there ways to improve alignment or integration of the NIST
framework with other frameworks, such as international approaches like
the ISO/IEC 27000-series, including ISO/IEC TS 27110?
9. There are numerous examples of international adaptations of the
Cybersecurity Framework by other countries. The continued use of
international standards for cybersecurity, with a focus on
interoperability, security, usability, and resilience can promote
innovation and competitiveness while enabling organizations to more
easily and effectively integrate new technologies and services. Given
this importance, what steps should NIST consider to ensure any update
increases international use of the Cybersecurity Framework?
10. References that should be considered for inclusion within
NIST's Online Informative References Program. This program is an effort
to define standardized relationships between NIST and industry
resources and elements of documents, products, and services and various
NIST documents such as the NIST Cybersecurity Framework, NIST Privacy
Framework, Security and Privacy Controls for Information Systems and
Organizations (NIST Special Publication 800-53), NIST Secure Software
Development Framework, and the NIST Internet of Things (IoT)
Cybersecurity Capabilities Baseline.
[[Page 9581]]
Cybersecurity Supply Chain Risk Management
11. National Initiative for Improving Cybersecurity in Supply
Chains (NIICS). What are the greatest challenges related to the
cybersecurity aspects of supply chain risk management that the NIICS
could address? How can NIST build on its current work on supply chain
security, including software security work stemming from E.O. 14028, to
increase trust and assurance in technology products, devices, and
services?
12. Approaches, tools, standards, guidelines, or other resources
necessary for managing cybersecurity-related risks in supply chains.
NIST welcomes input on such resources in narrowly defined areas (e.g.
pieces of hardware or software assurance or assured services, or
specific to only one or two sectors) that may be useful to utilize more
broadly; potential low risk, high reward resources that could be
facilitated across diverse disciplines, sectors, or stakeholders; as
well as large-scale and extremely difficult areas.
13. Are there gaps observed in existing cybersecurity supply chain
risk management guidance and resources, including how they apply to
information and communications technology, operational technology, IoT,
and industrial IoT? In addition, do NIST software and supply chain
guidance and resources appropriately address cybersecurity challenges
associated with open-source software? Are there additional approaches,
tools, standards, guidelines, or other resources that NIST should
consider to achieve greater assurance throughout the software supply
chain, including for open-source software?
14. Integration of Framework and Cybersecurity Supply Chain Risk
Management Guidance. Whether and how cybersecurity supply chain risk
management considerations might be further integrated into an updated
NIST Cybersecurity Framework--or whether and how a new and separate
framework focused on cybersecurity supply chain risk management might
be valuable and more appropriately be developed by NIST.
Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2022-03642 Filed 2-18-22; 8:45 am]
BILLING CODE 3510-13-P
