Professional Documents
Culture Documents
Framework Update Process: July 2018
Framework Update Process: July 2018
July 2018
cyberframework@nist.gov
Continued Improvement of Critical Infrastructure Cybersecurity
“It is the policy of the United States to enhance the Amends the National Institute of Standards and
security and resilience of the Nation’s critical Technology Act (15 U.S.C. 272(c)) to say:
infrastructure and to maintain a cyber environment
“…on an ongoing basis, facilitate and support the
that encourages efficiency, innovation, and
development of a voluntary, consensus-based,
economic prosperity while promoting safety,
industry-led set of standards, guidelines, best
security, business confidentiality, privacy, and civil
practices, methodologies, procedures, and
liberties”
processes to cost-effectively reduce cyber risks to
critical infrastructure”
3
Coordinating & Consulting
Adherence with Cybersecurity Enhancement Act of 2014
Features List
6
Milestones
Three Year Minimum Update Cycle
New Version?
3 years from last
Final Update
Features List Features List Features List Draft Framework Publish Framework
(Version A) (Version B) (Version C) Update Update
Major Major Major X
Minor Minor Minor
Administrative Administrative Administrative
7
Framework Versioning Process
Living Document Process
What? Who? Administrative Minor Major
Formal Request for
Nominate Features for Happens through dialog Information through Federal
Happens through dialog and
Consideration All* and
cyberframework@nist.gov Register, 60 day comment
cyberframework@nist.gov period, and Published
Comment Analysis
Review Nominated Features Unless otherwise requested by stakeholders, this process initiates three years from the
NIST**
publication date of the last final version
Formal Request for Comment
(Request for) Comment on
Stakeholder Informal comments, 30 day through Federal Register, 60
Proposed Features Not Required
s comment period day comment period, and
Published Comment Analysis
Host Workshop [NIST] to
All Not Required Required
Discuss Proposed Features
Publish Workshop Summary
NIST Not Required Required
of Next Steps
Draft Down-Selected
Features into Proposed NIST Required Required
Update
(Request for) Comment on Stakeholder
Informal comments, 30 day comment period
Proposed Update s
Host Workshop [NIST] to Not required for
All Required
Discuss Proposed Update Administrative Version
Publish Workshop Summary
NIST N/A Required
of Next Steps
Three month minimum One year & six month One year & six month
Publish Final Update NIST
versioning timeline minimum versioning timeline minimum versioning timeline
* Includes NIST and Framework stakeholders ** An opportunity to confer with collaborators, as defined in CEA of 2014 8
Resources