NIST Issues Draft of Revisions to Cybersecurity FrameworkUpdate Addresses Metrics, Supply Chain Relationship Management, Access Management
The National Institute of Standards and Technology has published a draft of its first revision to its cybersecurity framework, describing it as an update, not a major overhaul.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
"Just to be clear, we're not headed toward a version 2.0 right now. We're definitely not," Matt Barrett, the NIST program manager overseeing the cybersecurity framework updates, said in a recent interview. "We're headed to something that's more like a 1.1."
Indeed, the latest draft of the framework is titled Framework for Improving Critical Infrastructure Cybersecurity, Draft Version 1.
What's new in the draft?
- A new section on cybersecurity measurement. According to the draft, measuring security status and trends over time - internally, through external audit and through conformity assessment - enables an organization to understand and convey meaningful risk information. "In the update we introduce the notion of cybersecurity measurement to get the conversation started," Barrett said. "Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion."
- A greatly expanded explanation of using the framework for cyber supply chain risk management purposes. An expanded section on communicating cybersecurity requirements with stakeholders, NIST contends, should help users better understand cyber supply chain risk management. NIST also added a supply chain risk management category to the framework core. "A primary objective of cyber SCRM is to identify, assess and mitigate products and services that may contain potentially malicious functionality, are counterfeit or are vulnerable due to poor manufacturing and development practices within the cyber supply chain," the draft states.
- Revised language in the access control category to account for authentication, authorization and identity proofing by adding a subcategory. Identity proofing verifies an individual's identity before they're issued credentials. Also, the category has been renamed identity management and access control to better represent its scope and subcategories.
Types of Framework Measurements
Supply Chain Relationships
- A better explanation of the relationship between implementation tiers and profiles. Implementation tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework. Profiles represent the outcomes based on business needs that an organization has selected from the framework categories. Profiles can be characterized as the alignment of standards, guidelines and practices to the framework core in a particular implementation scenario.
NIST Seeks Stakeholder Feedback
In a February 2013 executive order, President Barack Obama directed NIST to create the cybersecurity framework to help the operators of the mostly privately owned critical infrastructure to safeguard their information assets (see Obama Issues Cybersecurity Executive Order). NIST published the framework a year later (see NIST Releases Cybersecurity Framework). It's been widely adopted by critical infrastructure and other organizations in and out of government.
Congress, in enacting the Cybersecurity Enhancement Act of 2014, codified the framework into law (see Codifying Process That Created the Cybersecurity Framework). The law establishes a process for the government to develop IT security best practices with advice from industry that organizations can voluntarily adopt.
Draft 1.1 incorporates feedback NIST has received from stakeholders since the initial release of the framework and integrates comments received from a December 2015 request for information and from attendees at a cybersecurity framework workshop held last year at its Gaithersburg, Md., headquarters.
NIST is seeking comments on draft 1.1 from stakeholders. Comments should be sent to email@example.com by April 10.