This is part of an on-going look at the responses to the National Institute of Standards and Technology (NIST) latest
request for information (RFI) on potential updates to the Cybersecurity
Framework (CSF). A reminder, the comment period will remain open until February
9th, 2016. The previous posts in this series include:
As of this morning there are only two new responses posted
to the RFI Response site. They come from:
Prevent Duplication
of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to “prevent duplication of
regulatory processes and prevent conflict with or superseding of regulatory
requirements, mandatory standards, and related processes” as required by the
Cybersecurity Enhancement Act of 2014?”
Not addressed by either commenter.
Should CSF be
Updated?
NIST question 10 asks:
“Should the Framework be updated?”
One of the commenters noted that the use of the CSF should
be expanded to all small and medium businesses, even those not specifically
considered ‘critical infrastructure’.
Private Sector
Involvement
NIST question 20 asks:
“What should be the private sector’s involvement in the
future governance of the Framework?”
Not addressed by either commenter.
Commentary
Both responses posted today were remarkably non-contributory
to the intended discussion. With the comment period over half-way completed the
number of responses has been underwhelming to say the least, but that is fairly
typical of the response process. The response rate should increase
significantly as the deadline approaches. It takes time for organizations to
develop their official responses.
Posts
No comments:
Post a Comment