Views on the Framework for Improving Critical Infrastructure Cybersecurity

AGENCY:

National Institute of Standards and Technology, Commerce.

ACTION:

Notice; extension of comment period.

SUMMARY:

The National Institute of Standards and Technology (NIST) is extending the period for submitting comments relating to the “Framework for Improving Critical Infrastructure Cybersecurity” (the “Framework”) through February 23, 2016. In a Request for Information (RFI) that published in the Federal Register on December 11, 2015 (80 FR 76934), NIST requested information about the variety of ways in which the Framework is being used to improve cybersecurity risk management, how best practices for using the Framework are being shared, the relative value of different parts of the Framework, the possible need for an update of the Framework, and options for the long-term governance of the Framework. NIST is extending the comment period announced in the December 11, 2015 RFI from February 9, 2016 to February 23, 2016.

DATES:

Comments must be received by 5:00 p.m. Eastern time on February 23, 2016. Comments received after February 9, 2016 and before publication of this notice are deemed to be timely.

ADDRESSES:

Written comments may be submitted by mail to Diane Honeycutt, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899. Online submissions in electronic form may be sent to cyberframework@nist.gov in any of the following formats: HTML; ASCII; Word; RTF; or PDF. Please include your name and your organization's name (if any), and cite “Views on the Framework for Improving Critical Infrastructure Cybersecurity” in all correspondence. Comments containing references, studies, research, and other empirical data that are not widely published should include copies of the referenced materials. Please do not submit additional materials.

All comments received in response to this RFI will be posted at http://www.nist.gov/cyberframework/cybersecurity-framework-rfi.cfm without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information).

FOR FURTHER INFORMATION CONTACT:

For questions about this RFI contact: Diane Honeycutt, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899 or cyberframework@nist.gov. Please direct media inquiries to NIST's Office of Public Affairs at (301) 975-2762.

SUPPLEMENTARY INFORMATION:

NIST is extending the comment period announced in the December 11, 2015 Request for Information (RFI) (80 FR 76934) through February 23, 2016. NIST is authorized by the Cybersecurity Enhancement Act of 2014 to “facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure.” Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” tasked the Secretary of Commerce to direct the Director of NIST to lead the development of a framework to reduce cyber risks to critical infrastructure. A final version of Framework 1.0 was published on February 12, 2014, after a year-long, open process involving private and public sector organizations, including extensive industry input and public comments, and announced in the Federal Register (79 FR 9167) on February 18, 2014. On December 11, 2015 NIST published a RFI in the Federal Register (80 FR 76934) seeking information about the variety of ways in which the Framework is being used to improve cybersecurity risk management, how best practices for using the Framework are being shared, the relative value of different parts of the Framework, the possible need for an update of the Framework, and options for the long-term governance of the Framework. NIST is extending the comment period announced in the December 11, 2015 RFI from February 9, 2016 to February 23, 2016 to allow comments to be submitted during a timeframe in which a variety of cybersecurity events are scheduled to occur.