On February 12, 2013, President Obama issued Executive Order 13636, which directed federal agencies to undertake a broad range of tasks aimed at enhancing the security and resilience of the nation’s critical infrastructure.  One task directed the National Institute of Standards and Technology (“NIST”) to establish a technology-neutral, voluntary, risk-based cybersecurity framework. A year later, on February 12, 2014, NIST released its Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0.  The Framework includes standards and processes that are intended to align policy, business, and technological approaches to addressing cybersecurity risks.

Since issuing the Framework, NIST has focused on raising awareness of the Framework and how it can be used to manage cyber risks.  Now, NIST is seeking a better understanding of how companies and organizations are using the Framework and what aspects of the Framework have been “helpful or challenging.”  Consequently, NIST has issued an RFI seeking information in three areas: (1) current awareness of the Framework; (2) early implementation experiences for those organizations utilizing the Framework; and (3) input on the utility of the Roadmap included within the Framework.  A series of suggested questions is included within each category; however, respondents are free to comment beyond the questions.

NIST intends to use the responses it receives to:

  • inform its approach to possible tools and resources that could be used to assist organizations in the efficient and effective use of the Framework;
  • inform subsequent versions of the Framework;
  • develop the agenda for an October 2014 workshop on the Framework; and
  • shape the Department of Homeland Security Critical Infrastructure Cyber Community C³ Voluntary Program.

Comments to NIST are due October 10, 2014.