Is Your CSF Crosswalk Ready for NIST SP 1347?

The Initial Public Draft of NIST SP 1347, Cybersecurity Framework 2.0: Informative References Quick-Start Guide is in its final 48 hours of public comment, closing Wednesday, May 6 at 11:59 PM EST. The guide explains how informative references map cybersecurity controls back to CSF 2.0 outcomes, introduces NIST's CSF 2.0 Reference Tool and the Online Informative References Program, and covers how AI tools can support reference-data use. If your team maintains internal CSF crosswalks — or runs any GenAI control-mapping project — this is your last chance to shape the model downstream auditors will lean on. Comments to [email protected].

NIST SP 1347 (initial public draft, PDF) →

FedRAMP RFC-0031 ends one-hour-flat incident reporting — comments due May 12. Released April 8, RFC-0031 retires the current one-hour-regardless-of-severity rule for authorized CSPs and replaces it with a Potential Adverse Impact Number (PAIN) matrix (N1 → N5) crossed against each provider's Certification Class. Reporting windows can run as short as 15 minutes for the highest-impact incidents. Final language folds into FedRAMP Consolidated Rules 2026 at end of June. Action: if you operate a FedRAMP-authorized cloud, draft your PAIN-rating playbook and submit a comment via Discussion #138 by May 12. RFC-0031 →

EO 14390 cybercrime review is due tomorrow. Executive Order 14390, signed March 6, ordered Relevant Federal Authorities to review existing frameworks for combating transnational cyber-enabled crime. The 60-day review is due May 5 (1 day); the 120-day coordinated action plan from the AG and DHS Secretary lands July 4. Watch for procurement-implications language around how federal agencies will engage commercial cyber firms for attribution and disruption. Action: track DOJ / Treasury / ONCD readouts tomorrow. EO 14390 →

End-May enforcement and EU draft land in three weeks. Two parallel deadlines deserve calendar holds. NERC CIP-003-11 takes effect May 26 (22 days) under FERC Order No. 918, adding objective-based requirements for low-impact BES Cyber Systems with external routable connectivity — malicious-communications detection, authenticated remote-user access, and protection of authentication data in transit. The next day, May 27, the European Commission is scheduled to publish its full Tech Sovereignty package, including a draft Cloud and AI Development Act converting the Cloud Sovereignty Framework's SEAL-0 → SEAL-4 levels from voluntary procurement criteria into binding obligations. Action: NERC entities, inventory low-impact BES Cyber Systems with ERC; EU public-sector cloud providers, map current attestation posture against SEAL-2 / SEAL-3 evidence. NERC CIP-003-11 → · EC cloud-sovereignty →

Five short-fuse milestones in the next four weeks:

If you maintain an internal CSF crosswalk or run any GenAI control-mapping project, validate it against NIST SP 1347 and submit a comment to [email protected] before 11:59 PM EST Wednesday. This is the cheapest day to shape the standard — by next week your only options are conformance and consequence.

Tuesday: Privacy & Personal Data Protection.

CyberEyeQ — Actionable Regulatory Intelligence
Reply to this email or write to [email protected] with feedback.
cybereyeq.com