Policy Proposals  Industrial Technology   Views on Revision of the NIST Cybersecurity Framework

April 25, 2022

Cybersecurity Enhancement Working Group
Committee on Cyber Security

1. Relationships among Frameworks

We would suggest clarifying the relationship among NIST SP800 series publications in the cybersecurity framework (CSF) documents. For example, if companies also apply SP800-207 (Zero-Trust Architecture) when taking measures using the NIST CSF and SP800-171, it would be useful to have some indication of effects on the five core functions.

2. Relative Importance of the CSF Function Categories/Subcategories

Since recent updates to the NIST CSF have tended to emphasize the "respond" and "recover" functions, we suggest a review of the relative importance of the function categories/subcategories.

3. Request for Future Framework Updates

Japan is looking ahead to a society where all people and things are connected via the Internet of Things, a concept we call "Society 5.0." Many companies in Japan utilize the NIST CSF when implementing cybersecurity measures. As part of such measures, companies need to minimize shutdowns of system interoperability and thus minimize "respond" and "recover" actions. When an incident occurs, business must be halted once the "respond" and "recover" phases are reached.

To avoid reaching this point, it is important to introduce the Zero-Trust Architecture (ZTA) concepts of SP800-207, establish a new "prevent" phase between the "protect" and "detect" phases, and take preventive measures before an incident forces business to halt.

In the "prevent" phase, authenticity of all people (authentication), things (procurement, economic security), and processes related to the supply chain should always be confirmed on a zero-trust basis.