[Federal Register Volume 87, Number 35 (Tuesday, February 22, 2022)]
[Notices]
[Pages 9579-9581]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-03642]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket Number: 220210-0045]


Evaluating and Improving NIST Cybersecurity Resources: The 
Cybersecurity Framework and Cybersecurity Supply Chain Risk Management

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice; request for information.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST) is 
seeking information to assist in evaluating and improving its 
cybersecurity resources, including the ``Framework for Improving 
Critical Infrastructure Cybersecurity'' (the ``NIST Cybersecurity 
Framework,'' ``CSF'' or ``Framework'') and a variety of existing and 
potential standards, guidelines, and other information, including those 
relating to improving cybersecurity in supply chains. NIST is 
considering updating the NIST Cybersecurity Framework to account for 
the changing landscape of cybersecurity risks, technologies, and 
resources. In addition, NIST recently announced it would launch the 
National Initiative for Improving Cybersecurity in Supply Chains 
(NIICS) to address cybersecurity risks in supply chains. This wide-
ranging public-private partnership will focus on identifying tools and 
guidance for technology developers and providers, as well as 
performance-oriented guidance for those acquiring such technology. To 
inform the direction of the NIICS, including how it might be aligned 
and integrated with the Cybersecurity Framework, NIST is requesting 
information that will support the identification and prioritization of 
supply chain-related cybersecurity needs across sectors. Responses to 
this RFI will inform a possible revision of the Cybersecurity Framework 
as well as the NIICS initiative.

DATES: Comments in response to this notice must be received by April 
25, 2022. Submissions received after that date may not be considered.
    Comments may be submitted by any of the following methods:
    Electronic submission: Submit electronic public comments via the 
Federal e-Rulemaking Portal.
    1. Go to www.regulations.gov and enter NIST-2022-0001 in the search 
field,
    2. Click the ``Comment Now!'' icon, complete the required fields, 
and
    3. Enter or attach your comments.
    Electronic submissions may also be sent as an attachment to [email protected] and may be in any of the following unlocked formats: 
HTML; ASCII; Word; RTF; or PDF. Please submit comments only and include 
your name, organization's name (if any), and cite ``NIST Cybersecurity 
RFI'' in all correspondence. Comments containing references, studies, 
research, and other empirical data that are not widely published should 
include copies of the referenced materials. Please do not submit 
additional materials.
    Comments received by the deadline may be posted at 
www.regulations.gov and https://www.nist.gov/cyberframework. All 
submissions, including attachments and other supporting materials, may 
become part of the public record and may be subject to public 
disclosure. NIST reserves the right to publish relevant comments 
publicly, unedited and in their entirety. Personal information, such as 
account numbers or Social Security numbers, or names of other 
individuals, should not be included. Do not submit confidential

[[Page 9580]]

business information, or otherwise sensitive or protected information. 
Comments that contain profanity, vulgarity, threats, or other 
inappropriate language or content will not be considered.

FOR FURTHER INFORMATION CONTACT: For questions about this RFI contact: 
[email protected] or Katherine MacFarland, National Institute of 
Standards and Technology, 100 Bureau Drive, Stop 2000, Gaithersburg, MD 
20899; (301) 975-3359. Direct media inquiries to NIST's Office of 
Public Affairs at (301) 975-2762. Users of telecommunication devices 
for the deaf, or a text telephone, may call the Federal Relay Service, 
toll free at 1-800-877-8339.
    Accessible Format: NIST will make the RFI available in alternate 
formats, such as Braille or large print, upon request by persons with 
disabilities.

SUPPLEMENTARY INFORMATION: The NIST Cybersecurity Framework consists of 
standards, methodologies, procedures, and processes that align policy, 
business, and technological approaches to reduce cybersecurity risks. 
It is used widely by private and public sector organizations in and 
outside of the United States and has been translated into multiple 
languages, speaking to its success as a common resource.
    The Cybersecurity Framework was last updated in April 2018. Much 
has changed in the cybersecurity landscape in terms of threats, 
capabilities, technologies, education and workforce, and the 
availability of resources to help organizations to better manage 
cybersecurity risk. That includes an increased awareness of and 
emphasis on cybersecurity risks in supply chains, including a decision 
to launch NIICS. With those changes in mind, NIST seeks to build on its 
efforts to cultivate trust by advancing cybersecurity and privacy 
standards and guidelines, technology, measurements, and practices by 
requesting information about the use, adequacy, and timeliness of the 
Cybersecurity Framework and the degree to which other NIST resources 
are used in conjunction with or instead of the Framework. Further, to 
inform the direction of the NIICS, including how it might be aligned 
and integrated with the Cybersecurity Framework, NIST is requesting 
information that will support the identification and prioritization of 
supply chain-related cybersecurity needs across sectors.
    Following is a non-exhaustive list of possible topics that may be 
addressed in any comments. Comments may address topics in the following 
list, or any other topic believed to have implications for the 
improvement of the NIST Cybersecurity Framework or NIST's cybersecurity 
guidance regarding supply chains. NIST will consider all relevant 
comments in the development of the revised Framework and guidance 
regarding supply chains.

Use of the NIST Cybersecurity Framework

    1. The usefulness of the NIST Cybersecurity Framework for aiding 
organizations in organizing cybersecurity efforts via the five 
functions in the Framework and actively managing risks using those five 
functions.
    2. Current benefits of using the NIST Cybersecurity Framework. Are 
communications improved within and between organizations and entities 
(e.g., supply chain partners, customers, or insurers)? Does the 
Framework allow for better assessment of risks, more effective 
management of risks, and/or increase the number of potential ways to 
manage risks? What might be relevant metrics for improvements to 
cybersecurity as a result of implementation of the Framework?
    3. Challenges that may prevent organizations from using the NIST 
Cybersecurity Framework or using it more easily or extensively (e.g., 
resource considerations, information sharing restrictions, 
organizational factors, workforce gaps, or complexity).
    4. Any features of the NIST Cybersecurity Framework that should be 
changed, added, or removed. These might include additions or 
modifications of: Functions, Categories, or Subcategories; Tiers; 
Profile Templates; references to standards, frameworks, models, and 
guidelines; guidance on how to use the Cybersecurity Framework; or 
references to critical infrastructure versus the Framework's broader 
use.
    5. Impact to the usability and backward compatibility of the NIST 
Cybersecurity Framework if the structure of the framework such as 
Functions, Categories, Subcategories, etc. is modified or changed.
    6. Additional ways in which NIST could improve the Cybersecurity 
Framework, or make it more useful.

Relationship of the NIST Cybersecurity Framework to Other Risk 
Management Resources

    7. Suggestions for improving alignment or integration of the 
Cybersecurity Framework with other NIST risk management resources. As 
part of the response, please indicate benefits and challenges of using 
these resources alone or in conjunction with the Cybersecurity 
Framework. These resources include:
     Risk management resources such as the NIST Risk Management 
Framework, the NIST Privacy Framework, and Integrating Cybersecurity 
and Enterprise Risk Management (NISTIR 8286).
     Trustworthy technology resources such as the NIST Secure 
Software Development Framework, the NIST Internet of Things (IoT) 
Cybersecurity Capabilities Baseline, and the Guide to Industrial 
Control System Cybersecurity.
     Workforce management resources such as the National 
Initiative for Cybersecurity Education (NICE) Workforce Framework for 
Cybersecurity.
    8. Use of non-NIST frameworks or approaches in conjunction with the 
NIST Cybersecurity Framework. Are there commonalities or conflicts 
between the NIST framework and other voluntary, consensus resources? 
Are there commonalities or conflicts between the NIST framework and 
cybersecurity-related mandates or resources from government agencies? 
Are there ways to improve alignment or integration of the NIST 
framework with other frameworks, such as international approaches like 
the ISO/IEC 27000-series, including ISO/IEC TS 27110?
    9. There are numerous examples of international adaptations of the 
Cybersecurity Framework by other countries. The continued use of 
international standards for cybersecurity, with a focus on 
interoperability, security, usability, and resilience can promote 
innovation and competitiveness while enabling organizations to more 
easily and effectively integrate new technologies and services. Given 
this importance, what steps should NIST consider to ensure any update 
increases international use of the Cybersecurity Framework?
    10. References that should be considered for inclusion within 
NIST's Online Informative References Program. This program is an effort 
to define standardized relationships between NIST and industry 
resources and elements of documents, products, and services and various 
NIST documents such as the NIST Cybersecurity Framework, NIST Privacy 
Framework, Security and Privacy Controls for Information Systems and 
Organizations (NIST Special Publication 800-53), NIST Secure Software 
Development Framework, and the NIST Internet of Things (IoT) 
Cybersecurity Capabilities Baseline.

[[Page 9581]]

Cybersecurity Supply Chain Risk Management

    11. National Initiative for Improving Cybersecurity in Supply 
Chains (NIICS). What are the greatest challenges related to the 
cybersecurity aspects of supply chain risk management that the NIICS 
could address? How can NIST build on its current work on supply chain 
security, including software security work stemming from E.O. 14028, to 
increase trust and assurance in technology products, devices, and 
services?
    12. Approaches, tools, standards, guidelines, or other resources 
necessary for managing cybersecurity-related risks in supply chains. 
NIST welcomes input on such resources in narrowly defined areas (e.g. 
pieces of hardware or software assurance or assured services, or 
specific to only one or two sectors) that may be useful to utilize more 
broadly; potential low risk, high reward resources that could be 
facilitated across diverse disciplines, sectors, or stakeholders; as 
well as large-scale and extremely difficult areas.
    13. Are there gaps observed in existing cybersecurity supply chain 
risk management guidance and resources, including how they apply to 
information and communications technology, operational technology, IoT, 
and industrial IoT? In addition, do NIST software and supply chain 
guidance and resources appropriately address cybersecurity challenges 
associated with open-source software? Are there additional approaches, 
tools, standards, guidelines, or other resources that NIST should 
consider to achieve greater assurance throughout the software supply 
chain, including for open-source software?
    14. Integration of Framework and Cybersecurity Supply Chain Risk 
Management Guidance. Whether and how cybersecurity supply chain risk 
management considerations might be further integrated into an updated 
NIST Cybersecurity Framework--or whether and how a new and separate 
framework focused on cybersecurity supply chain risk management might 
be valuable and more appropriately be developed by NIST.

Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2022-03642 Filed 2-18-22; 8:45 am]
BILLING CODE 3510-13-P