The National Institute of Standards and Technology published an updated version of its Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) on April 16, 2018.
The Cybersecurity Framework was first made available on February 2014 and has been widely adopted by critical infrastructure owners and public and private sector companies to assist in their cybersecurity programs. While intended for to be utilized by critical infrastructure businesses, the flexibility of the framework means it can also be usedby a wide range of businesses, large and small, including healthcare groups.
The Cybersecurity Framework incorporates guidelines, standards, and best standard practices and provides a flexible approach to cybersecurity. There are many ways that the Framework can be used with adequate range for customization. The Framework helps groups tackle different threats and weaknesses and matches various levels of risk tolerance.
The Framework was formulated to be a living document that can be updated and improved over time as a reaction to feedback from users, changing best standard practices, new threats, and evolution in technology. The new version is the first significant update to the framework since 2014 and the result of two years of development.
NIST’s Matt Barrett, program manager for the Cybersecurity Framework, remarked that the latest version “refines, clarifies and enhances version 1.0.” While several amendments have been made in version 1.1, Barrett outlined, “It is still flexible to meet an individual organization’s business or mission needs and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”
Version 1.1 of the Cybersecurity Framework includes a range of updates in response to comments and feedback submitted in 2016 and 2017 from organizations that have already implemented the Framework.
Version 1.1 sees refinements to the guidelines on authentication, authorization and identity proofing and an improved explanation of the relationship between implementation tiers and profiles. The Framework for Cyber Supply Chain Risk Management has been majorly expanded and there is a new section on self-assessment of cybersecurity danger. The section on disclosure of weaknesses as also been expanded with a new subcategory added with regard to the vulnerability disclosure lifecycle.
“Cybersecurity is critical for national and economic security,” commented Secretary of Commerce Wilbur Ross. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEO’s.”
NIST is also aiming to release an assisting ‘Roadmap for Improving Critical Infrastructure Cybersecurity’ later in 2018 and will be hosting a webinar later this month to collaborate the version 1.1 updates to the Framework.