Pre-Draft Call for Comments | Information Security Handbook: A Guide for Managers
NIST plans to update Special Publication (SP) 800-100, Information Security Handbook: A Guide for Managers, and is issuing a Pre-Draft Call for Comments to solicit feedback from users. The public comment period is open through February 23, 2024.
Since SP 800-100 was published in October of 2006, NIST has developed new frameworks for cybersecurity and risk management and released major updates to critical resources and references. This revision would focus the document’s scope for the intended audience and ensure alignment with other NIST guidance. Before revising, NIST would like to invite users and stakeholders to suggest changes that would improve the document’s effectiveness, relevance, and general use with regard to cybersecurity governance and the intersections between various organizational roles and information security.
NIST welcomes feedback and input on any aspect of SP 800-100 and additionally proposes a list of non-exhaustive questions and topics for consideration:
- What role do you fill in your organization?
- How have you used or referenced SP 800-100?
- What specific topics in SP 800-100 are most useful to you?
- What challenges have you faced in applying the guidance in SP 800-100?
- Is the document’s current level of specificity appropriate, too detailed, or too general? If the level of specificity is not appropriate, why?
- How can NIST improve the alignment between SP 800-100 and other frameworks and publications?
- What new cybersecurity capabilities, challenges, or topics should be addressed?
- What current topics or sections in the document are out of scope, no longer relevant, or better addressed elsewhere?
- Are there other substantive suggestions that would improve the document?
- Specific topics to consider for revision or improvement:
- Cybersecurity governance
- Role of information security in the software development life cycle (e.g., agile development)
- Contingency planning and the intersection of roles across organizations
- Risk management
- Enterprise risk management
- Supply chain risk management and acquisitions
- Metrics development and cybersecurity scorecard
- System authorizations
- Relationship between privacy and information security programs
The comment period is open through February 23, 2024. See the publication details for information on how to submit comments, such as using the comment template.