In August, NIST requested feedback from the owners and operators of the nation’s critical infrastructure to understand how the Framework for Improving Critical Infrastructure Cybersecurity was being used and how it could be improved. Most of the responses
posted by NIST were not from organizations running the infrastructure, but tech companies and industry associations.
The responses from trade associations were welcomed by NIST as a way to get the consensus viewpoint of the hundreds of companies that make up their membership. One concern brought up by the American Water Works Association was that the Framework doesn’t acknowledge that many industries are already operating under, and worried that additional Framework guidelines might cause confusion.
The Nuclear Regulatory Commission was one of a few federal agencies to reply to the request for feedback. Their comments said that among commercial nuclear reactor operators, the NIST Framework is not prevalent. Not because they are operating without infrastructure security guidelines, but because the NRC already published mandatory cybersecurity rules in 2009 as part of their code of federal regulations.
What’s this all mean for the NIST Framework? The nation’s critical infrastructure is massive in terms of size, geography and number of stakeholders. The goal of the feedback request was to find trends and ways to make the Framework stronger. It could be that the NIST Framework is going to be less of a guideline for organizations to build their cybersecurity, and more of a checklist to things not to forget.