April 27, 2022

WASHINGTON – Today, in recommendations to the National Institute of Standards and Technology (NIST), global tech trade association ITI outlined how the NIST Cybersecurity Framework could be updated to better reflect the evolving landscape of cybersecurity risks, technologies and resources, including if and how to more fully integrate cyber supply chain risk management practices

"ITI has been engaged in NIST’s Framework efforts for the better part of a decade, working to provide constructive input and shape the Framework to make it as useful as possible, and appreciate the opportunity to provide additional feedback as NIST considers if and how to further revise the Framework. We continue to see the Framework provide immense value to users, within critical infrastructure but also beyond,” ITI wrote in the comments. “That said, there has also been a significant amount of government activity aimed at improving cybersecurity and addressing risks, particularly with the issuance of the Executive Order on Improving the Nation’s Cybersecurity (Executive Order 14028). Although supply chain cybersecurity was considered to some extent in version 1.1 of the Framework, it has taken on increased prominence, especially in the context of software supply chain security. As such, we appreciate that NIST is asking stakeholders important questions about ways in which integrating supply chain security can increase the overall effectiveness of the Framework."

In the comments, ITI provided recommendations and suggestions for how NIST might update the Framework to further advance effective and integrated cybersecurity risk management, including the following:

  • Consider ways to make the Framework more objective, including by strengthening the Profiles section, improving guidance around the Tiers, thinking about how to improve guidance for organizations on how to meet expectations for some of the subcategories, and considering how to address challenges related to measuring the effectiveness of the implementation of the Framework.

  • Consider adding an explicit Governance function to highlight the important role that governance plays in cyber risk management and to further align the Cybersecurity Framework with the Privacy and AI Risk Management Frameworks.

  • Explain how the Cybersecurity Framework relates to other NIST-developed Frameworks, with a particular focus on how secure software development practices might interrelate with the Framework

  • Harmonize federal cyber initiatives with the Framework to increase use of the Framework

In its comments, ITI also offered recommendations that NIST should consider as it seeks to launch the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) efforts, including around how to address cyber supply chain risk management practices in the Cyber Framework itself:

  • Ensure that National Initiative for Improving Cybersecurity in Supply Chains (NIICS) efforts are harmonized with other ongoing supply chain efforts.

  • Consider that there are both benefits and drawbacks to more robustly integrating cyber supply chain risk management into the Framework.Benefits include having Informative References in one place and emphasizing the important role of supply chain risk management in cybersecurity, while drawbacks include overwhelming and complicating the Framework.

  • Consider developing guidance for organizations around engaging with and contributing to open-source communities.

Read the ITI’s comments here.

Public Policy Tags: Cybersecurity