Initial Summary Analysis of Responses to the Request for Information (RFI) Evalu ating and Improving Cybersecurity Resources: The Cybersecurity Framework and Cyb ersecurity Supply Chain Risk Management National Institute of Standards and Technology (NIST) June 3, 2022 Introduction On February 22, 2022, NIST issued a public Request for Information (RFI), “ Evaluating and Improving NIST Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management .” The RFI sought information on the use of the NIST Cybersecurity Framework as well as recommendations to improve the effectiveness of the Framework and its alignment with other cyberse curity resources. The RFI also sought suggestions to inform other cybersecurity efforts at NIST , especially related to supply chain cybersecurity risks. When the RFI was issued , Commerce Deputy Secretary Don Graves stated: “ Ever y organization needs to manage cybersecurity risk as a part of doing business, whether it is in industry, government or academia...It is critical to their resilience and to our nation’s economic security. There are many tools available to help, and the CSF is one of the leading frameworks for private sector cybersecurity maintenance. We want private and public sector organizations to help make it even more useful and widely used, including by small companies.” This document represents an initial, high -level summary of the RFI responses. NIST received more than 130 RFI responses, including many comments submitted jointly by multiple organizations or associations representing numerous organizations. The responses can be found on the NIST CSF website. Figure 1 RFI Responses Received by Category Summary Analysis of Responses to the Cybersecurity RFI Page 2 Figure 2 RFI Responses Received by Subc ategory The NIST Framework for Improving Critical Infrastructure Cybersecurity (also called Cybersecurity Framework , Framework , or CSF) was released in February 2014 after extensive public engagement and collaboration. The Framework serves as a prominent resource to manage cybersecurity risks holistically across an organization. It has been downloaded over 1.7 million times and is used by organizations of varying sectors, sizes, and locations . It has been adopted internationally, with the English version complemented by nine translations . The CSF was intended to be a living document that is refined, improved, and evolves over time to keep pace with technology and threat trends, integrate lessons learned, and move best practice to common practice. NIST updated the Framework in April 2018 with CSF 1.1. Based on the RFI responses, and in order t o keep pace with the ever -evolving cybersecurity landscape and to help organizations more easily and effectively manage cybersecurity risk, NIST is planning a new update to the Framework. The RFI also sought information on the challenges organizations are facing from a technology supply chain perspective to inform the NIST -led public -private partnership, the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) . NIST requested information about needed supply chain tools and guidance , as well as how NIICS might be aligned and integrated with the CSF. Summary Analysis of Responses to the Cybersecurity RFI Page 3 This summary analysis will serve as a starting point for scoping the update to the NIST Cybersecurity Framework, as well as scoping NIICS . NIST intends to continue to rely on and seek stakeholder feedback throughout the process to update the Framework. This will include public webinars and workshops, as well as feedback on at least one Framework draft