Tech companies, civil society groups, and individuals have submitted comments in response to the National Institute of Standards and Technology’s (NIST) request for public comment on version 1.1 of the “Framework for Improving Critical Infrastructure Cybersecurity.”
They recommended that NIST explicitly incorporate coordinated vulnerability disclosure and handling processes into the framework Core and Tiers.
They argue that building such processes into the framework would not be a major revision, but rather a clarification of existing elements of the framework that will help organizations evaluate their preparedness to respond to vulnerability information and communicate with internal and external stakeholders.
According to them, the clearest way to incorporate coordinated vulnerability disclosure and handling processes into the framework core would be to include a new subcategory dedicated to this concept. In addition, the framework core could incorporate coordinated vulnerability disclosure and handling processes by clarifying the scope of existing subcategories.
Other suggestions include that the “external participation” metric of the framework tiers should be fleshed out to address the maturity of an organization’s coordinated vulnerability disclosure and handling processes. This will help align the external participation metric with a revised ID.RA-2, and reinforce that organizations should be prepared to handle vulnerability disclosures from unaffiliated third parties, they said.