As part of its long-term effort to bolster cybersecurity efforts, the National Institute of Standards and Technology (NIST) has released a draft of a cybersecurity and privacy and mapping guide. The document, informed by standards and valued information for the cybersecurity and privacy community, is open for public comment until October 6.
The draft, Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings, details NIST’s proposed approach for identifying and documenting the relationships between concepts in cybersecurity and privacy, such as how the concepts of a NIST or third-party standard or guideline relate to the concepts of a foundational NIST publication, including the Cybersecurity Framework (CSF) and NIST Special Publication (SP) 800-53 on Security and Privacy Controls for Information Systems and Organizations.
NIST explains that the approach is informed by concept system and terminology standards, as well as experience with what information the cybersecurity and privacy community would find most valuable.
“By following this approach, NIST and others in the cybersecurity and privacy standards community can jointly establish a single concept system over time that links cybersecurity and privacy concepts from many sources into a cohesive, consistent set of relationship mappings. The mappings can then be used by different audiences to better describe the interrelated aspects of the global cybersecurity and privacy corpus,” NIST reports.
The document addresses key questions related to standards and cybersecurity. Eventually, NIST intends for this approach to be used by both NIST and third parties for mapping relationships involving NIST cybersecurity and privacy publications that will be submitted via NIST’s National Online Informative References (OLIR) Program, for hosting in NIST’s online Cybersecurity and Privacy Reference Tool (CPRT).
Furthermore, elements of NIST’s approach are meant to supplement, rather than replace, organizations’ existing mapping methodologies.