As cyber attacks increase across a number of industries, the National Institute of Standards and Technology wants to update the national cybersecurity strategy that has been in force since February 2014.

NIST, part of the Department of Commerce, is seeking industry comment through February 9, 2016, on the voluntary “Framework for Improving Critical Infrastructure Cybersecurity,” which has guided the strategy.

Cyber attacks have been an industry threat for some time, but 2015 saw attacks that were considerably more sophisticated and caused more damage than in previous years. The total number of victims from the 10 largest attacks in 2015, not including the recently announced hack at MaineGeneral Health, approaches 110 million—or one-third of the population.

Now, NIST wants to know the areas of the strategy that are working and the areas that need to be reconsidered. The bottom line is to learn “what good looks like,” says Matt Barrett, program manager of the framework.

The agency in recent months has had informal dialogue with a range of stakeholders on the framework, asking if an update is in order and what areas should be explored for changes. Stakeholders gave substantive comments and said an update was warranted, and it could be that the current threat landscape was a driving factor, Barrett adds.

Consequently, NIST’s questions in the RFI focus around long-term maintenance and ownership of the framework and what the long-term relationship should be between government and industries across the nation. Up to now, the framework has been a government initiative with NIST maintaining documents, conducting outreach programs and managing evolution of the document. Now, Barrett says, it may be time for industry to take some or all of the ownership, and questions to that effect are part of the RFI.

Getting stakeholders to share threat information and cybersecurity best practices has been problematic and a series of questions (16-19) seek to assess the degree of information sharing, barriers to sharing, and steps the government can take to increase sharing. These questions, Barrett says, are the guts of helping regulators and stakeholders understand what a good cyber strategy looks like.

A series of new questions immediately follow on the degree to which framework management should be transitioned to stakeholders.

The request for information is available here.

(This article appears courtesy of our sister publication, Health Data Management)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access