Share this article on:
The second draft of the revised NIST Cybersecurity Framework has been published. Version 1.1 of the Framework includes important changes to some of the existing guidelines and several new additions.
Version 1.0 of the NIST Cybersecurity Framework was first published in 2014 with the aim of helping operators and owners of critical infrastructure assess their risk profiles and improve their ability to prevent, detect, and respond to cyberattacks. The Framework establishes a common language for security models, practices, and security controls across all industries.
The Framework is based on globally accepted cybersecurity best practices and standards, and adoption of the Framework helps organizations take a more proactive approach to risk management. Since is publication in 2014, the Framework has been adopted by many private and public sector organizations to help them develop and implement effective risk management practices.
Following the release of the CSF, NIST has received numerous comments from public and private sector organizations on potential enhancements to improve usability of the Framework. Those comments were taken on board and incorporated in the first revised draft of the Framework which was published in January 2017. The latest draft includes several refinements that take into account feedback received on the first draft of the revised Framework.
Several changes have been made in version 1.1 of the NIST CSF to meet the requirements of the Cybersecurity Enhancement Act of 2014, which led to the creation of the NIST CSF. The first version of the NIST CSF failed to address all of the requirements, although the latest update brings the NIST CSF closer to meeting all of its initial goals.
The latest version of the Framework clarifies some of the language relating to cybersecurity measurement, further guidance is included on improving supply chain security, and changes have been made to incorporate mitigating risk of IoT devices and operational technology.
NIST has also issued an update to its Roadmap for Improving Critical Infrastructure Security which details several topics that will be considered for upcoming revisions of the Framework and details of future planned activities.
Adoption of the Framework is voluntary for most organizations, which can choose an appropriate implementation tier to suit their cybersecurity risk management practices. However, the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure in May 2017 made adoption of the Framework mandatory for all federal agencies.
Comments on the second draft of the revised NIST Cybersecurity Framework are being accepted until January 19, 2018. The final version of version 1.1 of the Cybersecurity Framework is expected to be released in Spring 2018.