Four years after the initial iteration was released, the National Institute of Standards and Technology (NIST) released version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity.
The framework was developed to be a voluntary, risk-based framework to improve cybersecurity for critical infrastructure in the United States. It’s the result of a President Obama-issued executive order calling for the development of standards, guidelines, and practices to help organizations charged with providing the nation’s financial, energy, health care, and other critical systems better protect their information and physical assets from cyberattack.
Like the first version, Version 1.1 of the framework was created through public-private collaboration via a series of recommendations, drafts, and comment periods. Changes to Version 1.1 includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure, among other changes.
For one, the update has renamed the Access Control Category to Identity Management and Access Control to better account for authentication, authorization, and identity-proofing.
It also has added a new section: Section 4.0 Self-Assessing Cybersecurity Risk with the Framework, explaining how organizations can use the framework to understand and assess their cybersecurity risk, including using measurements.
On the supply-chain front, an expanded Section 3.3 helps users better understand risk management in this arena. In contrast, a new section (3.4) focuses on buying decisions and the use of the framework in understanding the risk associated with commercial off-the-shelf products and services. Additional risk-management criteria were added to the Implementation Tiers for the framework, and a supply-chain risk-management category has been added to the Framework Core.
Other updates include a better explanation of the relationship between Implementation Tiers and Profiles; added clarity around the term “compliance,” given the variety of ways an organization can use the framework; and adding a subcategory related to the vulnerability disclosure lifecycle.
“This update refines, clarifies and enhances Version 1.0,” said Matt Barrett, program manager for the Cybersecurity Framework. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things (IoT).”
Its goal is to be flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors and by federal, state, and local governments.
“The release of the Cybersecurity Framework Version 1.1 is a significant advance that reflects the success of the public-private model for addressing cybersecurity challenges,” said Walter Copan, NIST director. “The Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry, and academia.”
So far, adoption of the framework has been relatively widespread: PwC’s 2018 Global State of Information Security Survey (GSISS), for instance, found that respondents from healthcare payer and provider organizations, as well as oil and gas companies, said the NIST Cybersecurity Framework is the most commonly adopted set information security standards in their respective industries. The report also found that financial institution clients widely embraced benchmarking of their cyber risk management programs against the NIST Cybersecurity Framework.
“Cybersecurity is critical for national and economic security,” said Secretary of Commerce Wilbur Ross. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must-do for all CEOs.”
Efforts to expand its influence continue: In May 2017, President Trump issued the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which directs all federal agencies to use the Cybersecurity Framework. Also, NIST noted that corporations, organizations, and countries worldwide, including Italy, Israel, and Uruguay, have adopted or adapted the framework.
Meanwhile, to help ease the adoption process, the Information Security Forum (ISF) has mapped the framework and its annual Standard of Good Practice for IT security professionals. Last year, IT governance organization ISACA launched an audit program aligning the NIST framework with COBIT 5, designed to provide management with an assessment of the effectiveness of an organization’s plans to detect and identify cyber threats and protect against them.
“We’re looking forward to reaching more industries, supporting federal agencies, and especially helping more small businesses across the U.S. benefit from the framework,” said Barrett.
Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes crucial development, alignment, and collaboration areas.
“Engagement and collaboration will continue to be essential to the framework’s success,” said Barrett. “The Cybersecurity Framework will need to evolve as threats, technologies, and industries evolve. With this update, we’ve demonstrated a good process for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk.”
Originally posted here.