The National Institute of Standards and Technology (NIST) has issued a draft of updated revisions to the Framework for Improving Critical Infrastructure Cybersecurity. The Cybersecurity Framework, introduced in February 2014, arose from President Obama’s Executive Order 13636 and derived from the collaboration between government and the private sector. It has provided a voluntary framework that “focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management process.” The Cybersecurity Framework is a risk-based approach comprised of three parts: the Framework Core, the Framework Implementation Tiers and the Framework Profiles.
The updated draft, Version 1.1, incorporates feedback received from the public and private sectors over the course of the past three years. As with the existing provisions, the proposed updated provisions are voluntary. According to NIST, “urrent users can implement Version 1.1 with minimal or no disruption, as refinements were made with the objective of being compatible with Version 1.0.”
Among the key refinements, Version 1.1 adds a new section on cybersecurity management, which focuses on the correlation of business results to cybersecurity risk management metrics and measures. Considerations of “Cyber Supply Chain Risk Management (Cyber SCRM)” have been added throughout the update. Version 1.1 stresses that detailed communications with stakeholders will enhance the understanding of effective Cyber SCRM.
Additionally, refinements have been added to better account for authentication, authorization and identity proofing. The update seeks to improve the relationships and effectiveness of implementation tiers within an organization’s cybersecurity protocols. Throughout the update, an overriding theme is the importance of measurements of performance of discrete functions and sectors in the coordination of an organization’s global cyber risk management strategies.
The deadline to send comments on the draft is April 2017. Comments may be sent to [email protected]. NIST intends to publish a final Cybersecurity Framework, Version 1.1 around fall 2017.
Steven M. Richard is counsel at Nixon Peabody. Read more Nixon Peabody blogs here.