The National Institute of Standards and Technology (NIST) has released the second draft of a proposed update to the national Cybersecurity Framework of 2014.
The draft document contains important changes to some existing guidelines, especially around self-assessment of cybersecurity risk, and introduces some new ones pertaining to authorization, authentication, identity proofing, and vulnerability disclosure.
NIST also released a proposed update to its Roadmap for Improving Critical Infrastructure Security that describes planned future activities and topics to focus on for upcoming versions of the framework.
The changes and refinements reflect feedback and comments from public and private sector stakeholders to an earlier draft update to the Cybersecurity Framework that NIST released in January 2017. NIST will make draft 2 of the Framework open for public comment through close of day Jan. 19, 2018 and will likely go live with the changes shortly after.
“NIST is hoping Framework version 1.1 will lead to a greater consideration of supply chain risk management [SCRM], cybersecurity within SCRM, and application of [the] Framework for that cybersecurity,” says Matt Barrett, NIST’s lead on the framework.
The hope also is that the new self-assessment section and related topics in the Roadmap such as Governance and Enterprise Risk Management will prepare stakeholders for a discussion on how to better align cybersecurity measures to support business outcomes and decisions, he says.
NIST developed the Framework as required by the Cybersecurity Enhancement Act of 2014. It is designed to provide a formal framework for managing cyber risk in critical infrastructure organizations. The goal is to provide organizations in critical infrastructure with guidance on the processes, practices, and controls they can use to manage cyber risk in line with their business imperatives.
The Cybersecurity Framework establishes a common language for security models, practices, and controls across industries. At a high-level, the framework provides guidance on how organizations can identify, protect, detect, respond to, and recover from, cyber threats. It offers a tiered set of implementation practices that organizations can choose from to deploy and manage these capabilities. The methods, processes, and controls in the framework are based on globally accepted best practices and standards.
Until recently, adherence to the Framework was purely voluntary for everyone. But the Trump Administration’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure in May has now made it mandatory for federal agencies, Barrett says. The order required agency heads to provide a risk management report to the White House Office of Management and Budget describing their plans to implement the Framework, he says. Originally designed for use by operators and owners of critical infrastructure, the Framework has become a de facto standard for developing and implementing cyber-risk management practices at organizations across all sectors.
The new version clarifies some of the language around cybersecurity measurement and provides more guidance on managing cybersecurity within the supply chain—an issue that has become critical in recent years. It also explains how the framework can be used to mitigate risk in the Internet of Things (IoT), operational technology and cyber-physical systems environments. In addition, NIST’s updated Cybersecurity Framework makes some refinements to the identity and access management control category to accommodate changing requirements around authentication, authorization, and identity vetting.
While critical infrastructures cannot adapt to all prescriptive guidance overnight, the framework serves as a good roadmap to start implementation of best practices, collaboration, and new security technologies, says Edgard Capdevielle, CEO of Nozomi Networks.
Robert Vescio, managing director at Secure Systems Innovation Corporation (SSIC) believes that while most organizations can benefit from the framework, adoption should remain voluntary. A forced adoption would destroy the concept of each organization tailoring security strategies to their risk appetite and lead to spending on irrelevant controls, he says.