Newsroom

December 07, 2017

NIST releases updated draft of cyber framework

The National Institute of Standards and Technology (NIST) published an updated draft of its cybersecurity framework this week. In line with NAFCU's position, the draft places more emphasis on using external data sources to inform risk management.

Comments on the draft are due to NIST by Jan. 19.

This draft, released Dec. 5, also gives a better description of supply chain risk management and modifies a section – "Methodology to Protect Privacy and Civil Liberties" – which warns of risks associated with over collection of user data.

NIST released its cybersecurity framework in 2014, which NAFCU has urged the agency to keep voluntary. NAFCU-supported updates were made to the framework in April. Many credit unions have benefited from NIST's framework as it has aided in the development of the Federal Financial Institutions Examination Council's cybersecurity assessment tool. The NCUA's future cybersecurity examination procedures may also mirror the cybersecurity assessment tool's structure.

NAFCU continues to urge NIST to work with other regulators and industry stakeholders to clarify how the framework should be used or adopted, and emphasize that there is no one-size-fits-all approach to cybersecurity. The association also asks NIST to use its expertise to educate lawmakers and regulators about emerging cybersecurity threats and the need for multi-sector collaboration to prevent consumer data breaches.