The US Commerce Department’s National Institute of Standards and Technology (NIST) has announced at RSA Conference 2018 the release of version 1.1 of its popular Framework for Improving Critical Infrastructure Cybersecurity, more widely known as the Cybersecurity Framework.
The framework was developed with a focus on industries vital to national and economic security, including energy, banking, communications and the defense industrial base. It has since proven flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state and local governments.
Numerous industry surveys from organizations such as Gartner, Tenable and Cisco indicate sustained and increasing use of the framework over time.
In May 2017, President Trump issued the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which directs all federal agencies to use the Cybersecurity Framework. Corporations, organizations and countries around the world, including Italy, Israel and Uruguay, have adopted the framework, or their own adaptation of it.
What’s new in NIST Cybersecurity Framework 1.1?
The changes to the framework are based on feedback collected through public calls for comments, questions received by team members, and workshops held in 2016 and 2017. Two drafts of Version 1.1 were circulated for public comment to assist NIST in comprehensively addressing stakeholder inputs.
“This update refines, clarifies and enhances Version 1.0,” said Matt Barrett, program manager for the Cybersecurity Framework. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”
Version 1.1 includes updates on:
- Authentication and identity,
- Self-assessing cybersecurity risk,
- Managing cybersecurity within the supply chain and
- Vulnerability disclosure.
The updated NIST framework has some really positive elements that will help organizations combat the changing threat landscape.
“First and foremost, the emphasis on securing the digital supply chain is a necessary response to the way that cyberattacks have evolved. The easiest path to a company’s data is often through a vulnerable third party, and the framework recognizes that,” says Fred Kneip, CEO, CyberGRX.
“The recommendation to conduct quarterly supply chain assessments included in the new framework is another step in the right direction. While acknowledging that third parties must be regularly assessed is important, quarterly reports will still create vulnerabilities that attackers can easily penetrate. Third-party risk exposure is constantly changing, and our visibility into that exposure needs to be accurate up-to-the minute in order to understand which third parties pose the biggest risk. Without a continuous, real-time stream of accurate data, attackers will still have the upper hand.”
IP and cybersecurity attorned Eran Kahana noted that “companies subject to NYDFS and those self-certifying under Privacy Shield (among many other entities) should find the new Sections 3.3 and 4.0 of interest, as both are relevant to the conduct of security audits and related gap analysis.”
“Critics of the prior Framework noted that the Framework, while comprehensive, was not easy to implement. To address these concerns, Version 1.1 of the Framework refined its explanation of how the Framework should be integrated into an organization’s existing cybersecurity program,” says Jeffrey Haut, an attorney with the Vernon Litigation Group who focuses on litigation relating to commercial litigation, cybersecurity, and privacy law matters.
“Like the prior Framework, an organization is free to choose how it implements Version 1.1 of the Framework, which can depend on the organization’s cybersecurity needs and specific technological resources and systems. At any level of implementation, however, the Framework can enhance and clarify any given organization’s approach to cybersecurity. Version 1.1 of the Framework also contains a new section on self-assessment that explains exactly how the Framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements.”
Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment and collaboration.