NIST Publishes Draft of Updated Cybersecurity Framework

It has been almost three years since the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. This week, NIST published a new draft – the first since the Framework was published in 2014 – which includes a number of tweaks, clarifications, and additions. However, as NIST points out, the new draft contains relatively minor updates. The Framework has not received a complete overhaul.

According to Matt Barrett, NIST’s program manager for the Cybersecurity Framework, “We wrote this update to refine and enhance the original document and to make it easier to use.” The new version incorporates feedback received following the December request for comments on how the framework is being used for risk management, the sharing of best practices, long term management of the Framework, and the relative value of different elements of the Framework.

The Cybersecurity Framework was originally intended to be used for critical infrastructure to safeguard information assets, although its adoption has been much wider. The Framework is now being used by a wide range of organizations of all types and sizes to reduce cybersecurity risk. The update reflects the wide range of organizations that are now using Framework.

The updated version sees vocabulary added to help organizations use the framework for cyber supply chain risk management and cyber supply chain risk management has been added to the Framework core. In the draft, NIST has also expanded the section on communicating cybersecurity requirements with stakeholders to aid understanding of cyber supply chain risk management.

NIST explains, “A primary objective of cyber SCRM is to identify, assess and mitigate products and services that may contain potentially malicious functionality, are counterfeit or are vulnerable due to poor manufacturing and development practices within the cyber supply chain.”

The access control and identity management definitions have also been updated, clarifying authentication, authorization, and identity proofing. The relationship between implementation tiers and profiles has been explained in detail, and a new section has been added on cybersecurity measurement.

Measuring an organization’s security status over time will enable organizations to convey meaningful risk information. Barret explained that “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.”

NIST is seeking comments on “version 1.1” of the Framework by April 10. NIST plans to hold a public workshop on the new version in the fall of this year.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.