The National Institute for Standards and Technology issued the finalized updates to its Cybersecurity Framework April 16, 2018.
The new version 1.1 of the Cybersecurity Framework, which was developed through public feedback collected in 2016 and 2017, includes updates to authentication and identity, self-assessing cyber risk, managing cybersecurity within the supply chain and vulnerability disclosure.
“This update refines, clarifies and enhances version 1.0,” said Matt Barrett, program manager for the Cybersecurity Framework. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the internet of things.”
A House bill that would have put the National Institute of Standards and Technology in charge of auditing agency cybersecurity practices was amended to place that responsibility in the hands of agency inspectors general, a move which a policy expert said will give the bill a better chance of passage.
NIST also plans to release an updated Roadmap for Improving Critical Infrastructure Cybersecurity later this year as a companion to the framework.
“Engagement and collaboration will continue to be essential to the framework’s success,” said Barrett. “The Cybersecurity Framework will need to evolve as threats, technologies and industries evolve. With this update, we’ve demonstrated that we have a good process in place for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk.”
The NIST Cybersecurity Framework has featured heavily in recent government IT and cybersecurity initiatives, and received a callout in the White House IT Modernization report released in December 2017.
In a news release, Rep. Jim Langevin, D-R.I., applauded the update for keeping the framework relevant in the face of a changing cyber landscape:
“In the four years since its release, countless organizations have used the NIST Cybersecurity Framework to voluntarily assess their cybersecurity risk posture, identify gaps, and prioritize security best practices. As demonstrated by the Russian government’s targeting of our election systems, however, the cybersecurity threats to our critical infrastructure continue to evolve. Today’s release marks an important evolution of the Framework that will ensure it remains relevant as risk management practices change to keep pace with the threat.”
Langevin added that, while the framework now has many positive additions, the update process did miss out on an opportunity to offer more concrete guidance on ways to quantify risk.
Industry, too, offered support for the new changes.
“There’s a lot to like in the new Framework, but one area where they made big strides is on supply chain risk management,” said David Damato, chief security officer at Tanium.
“2017 was the year of the supply chain attack, with attacks from NotPetya to CCleaner originating with a breach of a company’s third-party partner. The increasing attention NIST is bringing to this issue, and the standardized language they offer, will go a long way in helping organizations better understand the risks associated throughout their supply chain.”
NIST plans to host a webcast on the updated framework April 27, 2018, and the framework will also feature heavily at the agency’s Cybersecurity Risk Management Conference in November 2018.