As it begins planning to revise its widely praised Cybersecurity Framework (CSF), the National Institute of Standards and Technology (NIST) has requested that interested parties supply comments on how NIST can improve the effectiveness of the CSF and its alignment with other cybersecurity resources. NIST\u2019s last update of the framework, first released in 2014 under an executive order issued by President Obama, was in 2018.\u201cThere is no single issue driving this change,\u201d NIST Chief Cybersecurity Advisor Kevin Stine said in a statement. \u201cThis is a planned update to keep the CSF current and ensure that it is aligned with other tools that are commonly used.\u201dNIST raises a host of questionsIn its published request for information, NIST raises a host of \u201cnon-exhaustive\u201d questions that it hopes will move the ball forward in making the framework more applicable to a broader range of users while incorporating improvements, including a greater focus on supply-chain-related cybersecurity needs. Specifically, NIST asks a series of questions about how to improve the use of the framework, including whether the framework allows for better risk assessments and management of risks, what relevant metrics might be used to measure the impact of the framework and what challenges organizations face in using the framework, among other questions.NIST also asks for suggestions on improving alignment or integration of the Cybersecurity Framework with other NIST risk management resources such as the NIST Risk Management Framework, the NIST Privacy Framework, and Integrating Cybersecurity and Enterprise Risk Management (NISTIR 8286). NIST further asks for ways to improve alignment or integration of the NIST framework with other non-NIST frameworks, such as international approaches like the ISO\/IEC 27000- series, including ISO\/IEC TS 27110.Regarding supply chains, NIST is requesting information to help identify supply-chain-related cybersecurity needs and harmonize the National Initiative for Improving Cybersecurity in Supply Chains (NIICS), a public-private nonprofit founded by NIST, with the CSF. Moreover, NIST asks whether it needs to create a dedicated framework addressing cybersecurity supply chain risk management or if this should be addressed through more effective treatment of supply chain risk in the CSF.CSF update is sensible and timelyReaction from cybersecurity specialists to the update is generally favorable. Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance (NCA), says that the push to create frameworks, best practices, and supporting guidance and tweaking them on a more ongoing basis has gained momentum in the wake of recent increased cyber threats. \u201cThis announcement from NIST and the collaborative approach it seems to be taking is not only unsurprising but is also very sensible as we continue to work to refine and modernize our cybersecurity operations,\u201d Plaggemier tells CSO.Dr. Joerg Borchert, president and chair of the Trusted Computing Group, says a CSF revamp is now due. \u201cAs the early framework was created in 2014, a revamp is timely,\u201d he tells CSO. \u201cThe overhaul provides a chance to update the CSF to the threat vectors and new challenges.\u201dBorchert says the CSF is already a leading framework in the international community. \u201cWhen it really comes down to it, there are only a few frameworks for cybersecurity that are commonly accepted as best practices,\u201d he says, noting that the other leading frameworks on par with the CSF in the international community include ISO 27001\/27002, NIST SP 800-53, Secure Controls Framework (SCF) and the payment standard PCI DSS.Secure Code Warrior's CTO and co-founder, Dr. Matias Madou, agrees that NIST is already a front-runner on the international scene regarding cybersecurity frameworks, particularly in the area of secure software development. \u201cI do hope a lot of organizations and countries are looking at this roadmap they\u2019re laying out and will follow suit. U.S. companies have led the way in securing software and validating the software.\u201dBrian Behlendorf, general manager of the Open Source Security Foundation, says that NIST\u2019s plan to tackle supply chain issues dovetails with his hope that a consistent way emerges for software developers to choose the building blocks in their software. \u201cWhat we have not done is build a metrics-driven, data-driven approach to helping developers make decisions,\u201d Behlendorf tells CSO. \u201cIf NIST can be helpful in driving industry toward a set of common standards and data formats and terminology around all of this, I think that would be helpful in moving things forward.\u201dGAO hopes the update will fix agency adoption problemsDave Hinchman, acting director in the Government Accountability Office\u2019s (GAO) Information Technology and Cybersecurity team and author of a recent GAO report on how government agencies have adopted the NIST Framework, hopes the NIST update process will address issues that have thwarted agency adoption of the CSF. The GAO\u2019s most recent report issued earlier this month is the final of four statutorily mandated studies. It found that only three of the federal government\u2019s 16 critical infrastructure sector risk management agencies (SRMAs) have implemented the CSF after eight years of being urged to do so.\u201cWhen you see some of the things we found, it's not a great picture,\u201d Hinchman tells CSO. \u201cOnly three agencies have determined how they're going to adopt the framework. Four have finally started some effort, but the [remaining] sectors haven't done anything. We have had a pretty good discussion of a lot of the challenges that agencies are citing in why they're not making better progress.\u201dVoluntary nature, lack of metrics slow framework adoptionThe most significant barrier to agency adoption of the framework is that it\u2019s voluntary, Hinchman says, which NIST does not have the authority to change. Another big problem that Hinchman cites is the lack of metrics, a topic that NIST raises in its request for information. As auditors, the GAO likes \u201chard things,\u201d he says. \u201cWhat are the specific targets that we're doing? That\u2019s maybe something to consider, whether there's a way to build in some metrics. I think that could help drive adoption because it's a way that there's a measurable outcome or a measurable target that you can track against.\u201d Hinchman notes that NIST had already made some progress on the metrics front even before issuing its information request.Yet another limitation holding back the adoption of the framework is a lack of tangible implementation guidance, Hinchman says. \u201cI think that maybe it is time to sit down, revisit this and look at what it is that we can do to make this more palatable so that we get better adoption,\u201d particularly given the voluntary nature of the CSF.\u201cI've been performance auditing the government now for almost 20 years, and when you've got big disconnects like what we're seeing here, with what everyone says is this great framework that's in place, but terrible adoption eight years on, there's something that's not clicking,\u201d Hinchman says.He praises NIST\u2019s decision to update the framework, hoping that NIST takes what the GAO has discovered to heart. \u201cThe NIST and DHS programs got mixed reviews at best from agencies. You have to acknowledge agencies\u2019 complaints about those programs and admit that more needs to be done. This request for information is a great first step.\u201d But, \u201cat the end of the day, agencies are really just struggling to get adoption in place.\u201dNIST did not respond to multiple requests for comment on the GAO report and Hinchman\u2019s remarks.