The National Institute of Standards and Technology (NIST) on Tuesday issued a draft update to the Framework for Improving Critical Infrastructure Cybersecurity, known as the Cybersecurity Framework.
The draft provides details on managing cyber supply chain risks, clarifies key terms, and introduces cybersecurity measurement methods. NIST explained “the updated framework aims to further develop NIST’s voluntary guidance to organizations on reducing cybersecurity risks.”
The original Cybersecurity Framework was first published in February 2014 as directed by a February 2013 presidential executive order on improving critical infrastructure cybersecurity, following a collaborative process with industry, academia, and government agencies. It was meant to be a voluntary framework to help organizations manage cybersecurity risk in critical infrastructure sectors. However, it came to be more widely adopted by other types of organizations in the U.S. and globally as a standard.
The Cybersecurity Enhancement Act of 2014 (S. 1353) directed NIST to continue working on the framework.
NIST said the new 2017 draft Version 1.1 incorporates feedback since the release of the original and also integrates comments from a December 2015 Request for Information (RFI) and comments from attendees of the Cybersecurity Framework Workshop 2016 held at NIST’s campus in Gaithersburg, Md.
“We wrote this update to refine and enhance the original document and to make it easier to use. This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation,” Matt Barrett, NIST program manager for the Cybersecurity Framework, said in a statement.
Draft authors developed a vocabulary so that organizations working together on a joint project can clearly understand cybersecurity needs to cover cyber supply chain risk management. Such supply chain risk management includes scenarios like a small business selecting a cloud service provider or a federal agency contracting with a system integrator to build an IT system, the agency said.
The new document also renames and revises the Identity Management and Access Control category, clarifying and expanding the definitions of the terms authentication and authorization. NIST also added and defined a related concept of “identity proofing.”
Barrett added that they introduce the notion of cybersecurity measurement to get that conversation started. “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion,” he said.
This draft revision is open to comments through April 10, 2017. Comments are directed to [email protected].