NIST Cybersecurity Framework: Second Draft Published

Recently published, the second draft of the revised NIST Cybersecurity, Version 1.1 of the Framework, incorporates major changes to some of the current guidelines and many new additions.

Version 1.0 of the NIST Cybersecurity Framework was first released during 2014 with the target of assisting operators and owners of critical infrastructure review their risk profiles and improve their ability to stop, detect and react to cyberattacks. The Framework puts in place a common language for security models, practices and security measures across all sectors.

The Framework is based on worldwide accepted cybersecurity best practices and standards, and adoption of the Framework helps groups take a more proactive strategy for risk management. Since being published in 2014, the Framework has been implemented by many private and public sector groups to help them develop and adapt effective risk management practices.

Following the publication of the CSF, NIST has received many comments from public and private sector organizations on potential enhancements to improve usability of the Framework. This feedback was taken on board and incorporated in the first revised draft of the Framework which was released in January 2017. The most recent draft includes several refinements that take into account feedback received on the original draft of the revised Framework.

Several amendments have been made in version 1.1 of the NIST CSF to meet the obligations of the Cybersecurity Enhancement Act of 2014, which led to the establishment of the NIST CSF. The first version of the NIST CSF did not address all of the obligations, although the most recent update brings the NIST CSF closer to meeting all of its original aims.

The most recent version of the Framework clarifies some of the language regarding to cybersecurity measurement, further assistance is included on improving supply chain security, and alterations have been made to incorporate preventing risk of IoT devices and operational technology.

NIST has also released an update to its Roadmap for Improving Critical Infrastructure Security which describes many topics that will be considered for future revisions of the Framework and details of future planned events.

Adoption of the Framework is not mandatory for most groups, which can choose an appropriate implementation tier to suit their cybersecurity risk management measures. However, the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure in May 2017 made implementation of the Framework obligatory for all federal agencies.

Feedback on the second draft of the revised NIST Cybersecurity Framework is being taken until January 19, 2018. The release of the final version of the Cybersecurity Framework is expected in early 2018.