The National Institute of Standards and Technology (NIST) developed and issued its voluntary “Framework for Improving Critical Infrastructure Cybersecurity” (Framework) in response to a 2013 Executive Order in February of 2014. It was developed in collaboration with industry, academia and state and federal government officials. It has been widely praised and used as a valuable tool for companies to assess and respond to cybersecurity risk in their organizations.

On December 11, 2015, NIST issued a Request for Information to receive feedback on the use of the Framework, including specific questions about:

  • the variety of ways in which the Framework is being used to improve cybersecurity risk management,
  • how best practices for using the Framework are being shared,
  • the relative value of different parts of the Framework,
  • the possible need for an update of the Framework, and
  • options for the long-term management of the Framework.

The comment period is from December 11, 2015 through February 9, 2016. Comments will be used to enhance the Framework and to assist with developing the agenda for a Framework workshop being planned for April 6 and 7, 2016 at NIST.