Request for Information about Evaluating and Improving Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management
The National Institute of Standards and Technology (NIST) is seeking information to assist in evaluating and improving its cybersecurity resources, including the “Framework for Improving Critical Infrastructure Cybersecurity” (the “NIST Cybersecurity Framework,” “CSF” or “Framework”) and a variety of existing and potential standards, guidelines, and other information, including those relating to improving cybersecurity in supply chains. NIST is considering updating the NIST Cybersecurity Framework to account for the changing landscape of cybersecurity risks, technologies, and resources. In addition, NIST recently announced it would launch the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to address cybersecurity risks in supply chains. This wide-ranging public-private partnership will focus on identifying tools and guidance for technology developers and providers, as well as performance-oriented guidance for those acquiring such technology. To inform the direction of the NIICS, including how it might be aligned and integrated with the Cybersecurity Framework, NIST is requesting information that will support the identification and prioritization of supply chain-related cybersecurity needs across sectors. Responses to this RFI will inform a possible revision of the Cybersecurity Framework as well as the NIICS initiative.
Comments in response to this notice must be received by April 25, 2022. Submissions received after that date may not be considered.
Comments may be submitted by any of the following methods:
Electronic submission: Submit electronic public comments via the Federal e-Rulemaking Portal.
- Go to www.regulations.gov and enter NIST-2022-0001 in the search field,
- Click the “Comment Now!” icon, complete the required fields, and
- Enter or attach your comments.
Electronic submissions may also be sent as an attachment to CSF-SCRM-RFI@nist.gov and maybe in any of the following unlocked formats: HTML; ASCII; Word; RTF; or PDF. Please submit comments only and include your name, organization's name (if any), and cite “NIST Cybersecurity RFI” in all correspondence. Comments containing references, studies, research, and other empirical data that are not widely published should include copies of the referenced materials. Please do not submit additional materials.
Comments received by the deadline may be posted at www.regulations.gov and https://www.nist.gov/cyberframework. All submissions, including attachments and other supporting materials, may become part of the public record and may be subject to public disclosure. NIST reserves the right to publish relevant comments publicly, unedited, and in their entirety. Personal information, such as account numbers or Social Security numbers, or names of other individuals, should not be included. Do not submit confidential business information or otherwise sensitive or protected information. Comments that contain profanity, vulgarity, threats, or other inappropriate language or content will not be considered.
FOR FURTHER INFORMATION CONTACT:
For questions about this RFI contact: CSF-SCRM-RFI@nist.gov or Katherine MacFarland, National Institute of Standards and Technology, 100 Bureau Drive, Stop 2000, Gaithersburg, MD 20899; (301) 975-3359. Direct media inquiries to NIST's Office of Public Affairs at (301) 975-2762. Users of telecommunication devices for the deaf, or a text telephone, may call the Federal Relay Service, toll-free at 1-800-877-8339.
Accessible Format: NIST will make the RFI available in alternate formats, such as Braille or large print, upon request by persons with disabilities.
Learn More Here