M3AAWG has submitted comments in response to the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework, which was released January 19, 2023.
The NIST Cybersecurity Framework (“CSF” or “Framework”), released in 2014 and updated in 2018, provides critical infrastructure-focused guidance to organizations to better understand, manage, reduce, and communicate cybersecurity risks and build controls to mitigate these risks. The CSF Concept Paper outlines and seeks input on potential significant changes currently under consideration by NIST as it develops the 2.0 version of the CSF.
M3AAWG generally supports the proposals in the paper but urges NIST to consider the impact of proposals that could potentially dilute the usefulness of a framework originally developed to focus on critical infrastructure cybersecurity risks and needs.
Examples of comments from M3AAWG include:
We ask NIST to consider that this broadening of scope could have the opposite effect; it could weaken the very cybersecurity risk management programs for critical infrastructure that are the CSF’s greatest strength. While there are various general frameworks, standards, and guidelines (e.g., NIST’s own Special Publications, CIS controls, and the ISO 27000 family) available to assist organizations to address security risks, the NIST CSF’s particular focus on critical infrastructure risks, needs, and concerns was unique. By trying to be everything to everyone, CSF 2.0 could become yet another general security framework that caters to a wide audience…
Reconsider broadening scope to small business and education. ”…Not all educational institutions and small businesses can or should be considered critical infrastructure
Consider how and with whom to collaborate to avoid delays and allow potentially adversarial parties to influence the process
Limit references to other NIST frameworks to avoid dilution
Additional comments can be found in the M3AAWG doc, https://www.m3aawg.org/sites/default/files/m3aawg_comments_on_nist_cybersecurity_framework_2.0_concept_paper.pdf.
M3AAWG supports the NIST effort to remain technology and vendor-neutral, develop profiles addressing email providers and improving the CSF website.
Details and more recommendations and comments are available here, https://www.m3aawg.org/sites/default/files/m3aawg_comments_on_nist_cybersecurity_framework_2.0_concept_paper.pdf.
M3AAWG has previously offered comments on various public policy initiatives, including FTC proposed actions, ICANN issues and more. Find these here, https://www.m3aawg.org/for-the-industry/published-comments.