The benefits of using Unmanned Aircraft Systems (UAS) for tasks from catastrophe response to infrastructure inspection to construction site monitoring, and everything in between, are great. ...19 May 2016
NIST Issues Update on Cybersecurity Framework, Highlights Priorities Moving Forward
NIST’s update makes several observations regarding how organizations are currently using the Framework. Notably, NIST recognized that the Tiers “appear to be the least-used part of the Framework” and that additional guidance may be needed on the appropriate use of tiers. In addition, NIST noted the continued interest expressed by industry in expanded information-sharing activities and highlighted its release of draft Special Publication (SP) 800-150. Published in October 2014, draft SP 800-150 offers entities guidance on the safe and effective sharing of cyber threat information in support of incident response. NIST also acknowledged stakeholder calls for global policy and enforcement alignment and the need for greater visibility of the Framework to avoid confusion and “conflicting expectations in the global business environment.”
NIST also expressed sensitivity to concerns about the Framework’s uncertain regulatory implications and acknowledged industry desire for additional guidance on use of the Framework. To that end, NIST indicated its intent to provide guidance on the appropriate use of the Framework, including actual or exemplary illustrations, as well as guidance tailored to specific sectors including smaller enterprises.
NIST does not anticipate updating the Framework itself within the next year, in light of “widespread agreement among participants that it is too early to update the Framework and that more time is needed to understand and use the current version.” For now, NIST’s priority will be “to develop and disseminate information and training materials that advance use of the Framework.” In furtherance of that goal, NIST intends to pursue the following initiatives:
- develop material on aligning the Framework with business processes, including integrating cybersecurity risk management with broader enterprise risk management;
- partner with other organizations to help raise awareness about the Framework;
- explore options for hosting publicly available Framework reference materials; and
- continue hosting workshops, webinars, and similar meetings on the Framework to bring in additional stakeholders.
Moving forward, corporate boards and management are likely to see the Framework continue to be cited as a resource for those involved in the design, operations, and oversight of cybersecurity risk management efforts, including preparation for a cybersecurity breach.
NIST has not scheduled additional workshops or public opportunities for further engagement on the Framework at this time, but the update does note that NIST welcomes ongoing feedback via email (firstname.lastname@example.org).
Donald DePass, an associate in our Washington, D.C. office, contributed to this entry.
The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...02 May 2016
Last week, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) launched the long-awaited Phase 2 HIPAA Audit Program. Earlier this month, the agency posted...29 March 2016