NIST Releases Proposed Update to the Framework for Improving Critical Infrastructure Cybersecurity

In February 2014, the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity, sometimes known as NIST’s Cybersecurity Framework.  The Framework was a result of Executive Order 13636, issued by President Obama the year before and entitled Improving Critical Infrastructure Cybersecurity, which ordered NIST to develop a framework for reducing cyber risks to critical infrastructure. For now, compliance with the Framework remains voluntary. The Framework offers important guidance, based on existing standards and guidelines, for all organizations to better manage and reduce their cybersecurity risk, especially cyber risks to critical infrastructure.

On January 9, 2017, NIST issued the long-awaited update to its Framework, Version 1.1 (the “draft Version 1.1”). Providing new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity, the draft Version 1.1 seeks to further develop NIST’s voluntary guidance to organizations on reducing cybersecurity risks. The draft Version 1.1 contains important updates to the February 2014 document, including:

  • A new section on cybersecurity measurement entitled Added Measuring and Demonstrating Cybersecurity, which discusses the correlation of business results to cybersecurity risk management metrics and measures.
  • An expanded explanation of using the Framework for Cyber Supply Chain Risk Management purposes which will help users better understand Cyber SCRM.
  • Refinements to better account for authentication, authorization and identity proofing.
  • Better explanation of the relationship between the Implementation Tiers and Profiles. The update added language to Section 3.2 Establishing or Improving a Cybersecurity Program on using Framework Tiers in Framework implementation.

According to NIST, the update was written to refine and enhance the original Framework and to make it easier to use.  Importantly, the draft Version 1.1 incorporates feedback received since the release of the Framework, integrates comments from the December 2015 Request for Information, and comments from attendees at the Cybersecurity Framework Workshop held by NIST in 2016. NIST seeks public comment on the draft, including the following seven questions:

  1. Are there any topics not addressed in the draft Version 1.1 that could be addressed in the final?
  2. How do the changes in the draft Version 1.1 impact the cybersecurity ecosystem?
  3. For those using Version 1.0, would the proposed changes impact your current use of the Framework? If so, how?
  4. For those not currently using Version 1.0, does the draft Version 1.1 affect your decision to use the Framework? If so, how?
  5. Does this proposed update adequately reflect advances made in the Roadmap areas?
  6. Is there a better label than “version 1.1” for this update?
  7. Based on this update, activities in Roadmap areas, and activities in the cybersecurity ecosystem, are there additional areas that should be added to the Roadmap? Are there any areas that should be removed from the Roadmap?

Feedback and comments can be directed to cyberframework@nist.gov. The deadline to provide public comments is April 10, 2017. NIST intends to publish a final Framework Version 1.1 in the fall of 2017.