NIST opens latest cyber framework draft for public comment
The request for comment is the latest in a series of engagements with the general public, including private sector companies, operators of critical infrastructure, public sector employees and members of academia.
The National Institute of Standards and Technology on Oct. 29 officially launched the public comment period for feedback on the most recent iteration of its proposed cybersecurity framework.
The Federal Register request for comments formally opens a 45-day period for the public to weigh in on the latest draft framework, released Oct. 22. The comment period will close Dec. 13.
The request for comment is the latest in a series of engagements with the general public, including private sector companies, operators of critical infrastructure, public sector employees and members of academia, among others.
The broad involvement in the framework's development has help lay the groundwork for the guidelines, with a final version due in February 2014 under requirements from President Barack Obama's February executive order addressing cybersecurity. NIST officials have held a series of workshops across the country throughout the year, with a final event slated for Nov. 14-15 in Raleigh, N.C.
"We knew it was essential to have early and substantive involvement" of the public, NIST Director Patrick Gallagher told reporters on Oct. 22. "As part of this effort more than 3,000 people have participated in the development, either through workshops, webinars, comments on drafts – this participation is absolutely essential."
The latest draft, and perhaps some of the feedback to date, will be up for discussion at the next workshop, as will be options for an industry-led governance structure for the framework, Gallagher said. It is likely that questions about how to measure compliance, privacy and civil liberties, and how to maintain the framework as a flexible document, even past February, also will be on the table in Raleigh.
"This is not going to be in a fully mature state when it's released in February," Gallagher said. "The framework must be a living document [and] allow for continuous improvement and technology and threats change and as business mature. It must evolve to meet business needs in real time."