The flagship model for organizational cybersecurity policies just got a new coat of paint.
The National Institute of Standards and Technology (NIST) on April 16 released version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity , which updates the agency’s original voluntary cybersecurity framework for critical infrastructure sectors issued in 2014.
Version 1.1 adds a new section on self-assessment. Section 4.0 provides measurements that organizations can use to assess their cybersecurity risk. The new update also expands the section on supply chain risk management considerably, by adding Section 3.4, which “highlights use of the Framework in understanding risk associated with commercial off-the-shelf products and services.”
The update also provides refinements for authentication, authorization, and identity proofing, includes clarity and language revisions to promote application across sectors, and expands on the guidance it gives companies regarding coordinated vulnerability disclosure.
Industry professionals said they appreciated NIST’s openness to tackling emerging cybersecurity needs.
“2017 was the year of the supply chain attack, with attacks from NotPetya to CCleaner originating with a breach of a company’s third-party partner,” said David Damato, chief security officer, Tanium. “The increasing attention NIST is bringing to this issue, and the standardized language they offer, will go a long way in helping organizations better understand the risks associated throughout their supply chain.”
The White House declared the framework a major tenet of its cyber executive order in May 2017, and NIST has been retooling the policies to keep government cybersecurity accountable and also promote good cyber hygiene throughout the private sector. Reasons for that should be obvious.
“The voluntary NIST Cybersecurity Framework should be every company’s first line of defense,” said Commerce Secretary Wilbur Ross. “Adopting Version 1.1 is a must do for all CEOs.”
Many government organizations are already on cruise control with framework adoption, and private companies are increasingly getting onboard, according to research from Tenable, Gartner, Cisco, and others.
This is the first major revision of the popular government framework, coming more than four years after the initial release of Version 1.0 in February 2014. The v1.1 update process began in 2015, and NIST released a draft update in January of last year.
While that might seem like a long time out, NIST has called the framework a living document, and detailed its process flow and outreach to industry on an ongoing basis.
“The Cybersecurity Framework will need to evolve as threats, technologies and industries evolve,” said Matt Barrett, program manager for the framework. “With this update, we’ve demonstrated that we have a good process in place for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk.”