Scribd Logo
Upload

Welcome to Scribd!

  • Framework Update Process: July 2018

    Uploaded by

    Adrian Reyes
    6 views8 pages
    The document discusses the process for updating the Framework for Improving Critical Infrastructure Cybersecurity. It notes that updates will occur at least every three years and involve requesting information and comments from stakeholders. The process categorizes changes as major, minor, or administrative based on their impact. Major changes involve formal requests for information and comments through public notices, while minor changes use informal dialog and comments.

    Original Description:

    Original Title

    update_process

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses the process for updating the Framework for Improving Critical Infrastructure Cybersecurity. It notes that updates will occur at least every three years and involve requesting information and comments from stakeholders. The process categorizes changes as major, minor, or administrative based on their impact. Major changes involve formal requests for information and comments through public notices, while minor changes use informal dialog and comments.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views8 pages

    Framework Update Process: July 2018

    Uploaded by

    Adrian Reyes
    The document discusses the process for updating the Framework for Improving Critical Infrastructure Cybersecurity. It notes that updates will occur at least every three years and involve requesting information and comments from stakeholders. The process categorizes changes as major, minor, or administrative based on their impact. Major changes involve formal requests for information and comments through public notices, while minor changes use informal dialog and comments.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Framework Update Process

    July 2018

    cyberframework@nist.gov
    Continued Improvement of Critical Infrastructure Cybersecurity

    February 12, 2013 December 18, 2014

    “It is the policy of the United States to enhance the Amends the National Institute of Standards and
    security and resilience of the Nation’s critical Technology Act (15 U.S.C. 272(c)) to say:
    infrastructure and to maintain a cyber environment
    “…on an ongoing basis, facilitate and support the
    that encourages efficiency, innovation, and
    development of a voluntary, consensus-based,
    economic prosperity while promoting safety,
    industry-led set of standards, guidelines, best
    security, business confidentiality, privacy, and civil
    practices, methodologies, procedures, and
    liberties”
    processes to cost-effectively reduce cyber risks to
    critical infrastructure”

    Executive Order 13636 Cybersecurity Enhancement Act of 2014


    (P.L. 113-274)

    3
    Coordinating & Consulting
    Adherence with Cybersecurity Enhancement Act of 2014

    (1) In general.—In carrying out the activities under subsection (c)(15),


    the Director--

    ``(i) <<NOTE: Coordination.>> coordinate closely and regularly


    with relevant private sector personnel and entities, critical
    infrastructure owners and operators, and other relevant industry
    organizations, including Sector Coordinating Councils and
    Information Sharing and Analysis Centers, and incorporate
    industry expertise;

    ``(ii) <<NOTE: Consultation.>> consult with the heads of


    agencies with national security responsibilities, sector-specific
    agencies and
    other appropriate agencies, State and local governments, the
    governments of other nations, and international organizations;

    ``(vii) prevent duplication of regulatory processes and prevent
    conflict with or superseding of regulatory requirements,
    mandatory standards, and related processes;
    4
    Continued Improvement of Critical Infrastructure Cybersecurity
    Update Activities Engagement
    Request for Information – Views on the 105 Responses
    Framework for Improving Critical Infrastructure
    Cybersecurity – Dec 2015
    7th Workshop – Apr 2016 653 Physical Attendees,
    140 Online Attendees
    Draft 1 – Framework Version 1.1 – Released -
    Jan 2017
    Request for Comment – Proposed update to the 129 Responses
    Framework for Improving Critical Infrastructure
    Cybersecurity – Jan 2017
    8th Workshop – May 2017 517 Physical Attendees,
    1528 Online Attendees
    Request for Comment – Cybersecurity 89 Responses
    Framework Version 1.1 – Draft 2 – Dec 2017
    Framework Version 1.1 – Released April 2018 -
    5
    Features List Concept
    Living Document Process

    Features List

    • Meetings • Sorted by effect on backwards


    • Events compatibility
    • Roundtable Dialogs • Prioritized based on stakeholder
    • Requests for Information importance
    • Requests for Comments
    • Observations from Resources Major
    • Observations from References
    Minor
    • Subject Matter Expertise
    • cyberframework@nist.gov
    Administrative

    6
    Milestones
    Three Year Minimum Update Cycle

    New Version?
    3 years from last
    Final Update

    Features List Features List Features List Draft Framework Publish Framework
    (Version A) (Version B) (Version C) Update Update
    Major Major Major X
    Minor Minor Minor
    Administrative Administrative Administrative

    Annual Annual Annual Annual


    Conference Conference Conference Conference

    7
    Framework Versioning Process
    Living Document Process
    What? Who? Administrative Minor Major
    Formal Request for
    Nominate Features for Happens through dialog Information through Federal
    Happens through dialog and
    Consideration All* and
    cyberframework@nist.gov Register, 60 day comment
    cyberframework@nist.gov period, and Published
    Comment Analysis
    Review Nominated Features Unless otherwise requested by stakeholders, this process initiates three years from the
    NIST**
    publication date of the last final version
    Formal Request for Comment
    (Request for) Comment on
    Stakeholder Informal comments, 30 day through Federal Register, 60
    Proposed Features Not Required
    s comment period day comment period, and
    Published Comment Analysis
    Host Workshop [NIST] to
    All Not Required Required
    Discuss Proposed Features
    Publish Workshop Summary
    NIST Not Required Required
    of Next Steps
    Draft Down-Selected
    Features into Proposed NIST Required Required
    Update
    (Request for) Comment on Stakeholder
    Informal comments, 30 day comment period
    Proposed Update s
    Host Workshop [NIST] to Not required for
    All Required
    Discuss Proposed Update Administrative Version
    Publish Workshop Summary
    NIST N/A Required
    of Next Steps
    Three month minimum One year & six month One year & six month
    Publish Final Update NIST
    versioning timeline minimum versioning timeline minimum versioning timeline

    * Includes NIST and Framework stakeholders ** An opportunity to confer with collaborators, as defined in CEA of 2014 8
    Resources

    • Framework for Improving Critical Infrastructure


    Cybersecurity and related news and information:
    • www.nist.gov/cyberframework

    • Additional cybersecurity resources:


    • http://csrc.nist.gov/

    • Questions, comments, ideas:


    • cyberframework@nist.gov

    You might also like