NIST Cybersecurity Framework: Second Draft Published

by | Dec 4, 2017

Recently published, the second draft of the revised NIST Cybersecurity, Version 1.1 of the Framework, incorporates major changes to some of the current guidelines and many new additions.

Version 1.0 of the NIST Cybersecurity Framework was first released during 2014 with the target of assisting operators and owners of critical infrastructure review their risk profiles and improve their ability to stop, detect and react to cyberattacks. The Framework puts in place a common language for security models, practices and security measures across all sectors.

The Framework is based on worldwide accepted cybersecurity best practices and standards, and adoption of the Framework helps groups take a more proactive strategy for risk management. Since being published in 2014, the Framework has been implemented by many private and public sector groups to help them develop and adapt effective risk management practices.

Following the publication of the CSF, NIST has received many comments from public and private sector organizations on potential enhancements to improve usability of the Framework. This feedback was taken on board and incorporated in the first revised draft of the Framework which was released in January 2017. The most recent draft includes several refinements that take into account feedback received on the original draft of the revised Framework.

Several amendments have been made in version 1.1 of the NIST CSF to meet the obligations of the Cybersecurity Enhancement Act of 2014, which led to the establishment of the NIST CSF. The first version of the NIST CSF did not address all of the obligations, although the most recent update brings the NIST CSF closer to meeting all of its original aims.

The most recent version of the Framework clarifies some of the language regarding to cybersecurity measurement, further assistance is included on improving supply chain security, and alterations have been made to incorporate preventing risk of IoT devices and operational technology.

NIST has also released an update to its Roadmap for Improving Critical Infrastructure Security which describes many topics that will be considered for future revisions of the Framework and details of future planned events.

Adoption of the Framework is not mandatory for most groups, which can choose an appropriate implementation tier to suit their cybersecurity risk management measures. However, the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure in May 2017 made implementation of the Framework obligatory for all federal agencies.

Feedback on the second draft of the revised NIST Cybersecurity Framework is being taken until January 19, 2018. The release of the final version of the Cybersecurity Framework is expected in early 2018.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy