The updated version of the Cybersecurity Framework was made available by the National Institute of Standards and Technology this April 16, 2018. This framework for improving critical infrastructure cybersecurity was issued initially on February 2014. Critical infrastructure owners as well as public and private sector organizations adopted the Cybersecurity Framework to help them create their cybersecurity programs. The framework is not just for critical infrastructure industries. It is very flexible and so a wide range of businesses adopted it including healthcare organizations.
The Cybersecurity Framework offers a flexible approach to cybersecurity through its guidelines, standards and best practices advice. It can be used in several ways with options for customization. It provides organizations with solutions for different threats and vulnerabilities while matching varying levels of risk tolerance.
The Framework was supposed to serve as a living document that can be improved and updated as users provide feedback on the material. Updates are also necessary as best practices change, new threats arise and technology advances. After two years of development, version 1.1 is the first Framework update since 2014. The update incorporates the comments and feedback received from organizations that adopted the Framework from 2016 to 2017.
The program manager for the Cybersecurity Framework, Matt Barrett, stated that they refined, clarified and enhanced version 1.0. Even with the changes, the Framework is still flexible to satisfy the needs of different organizations and applies to varied technology environments including information technology, the Internet of Things and industrial control systems.
The following were improved in Version 1.1:
- Guidelines on authentication, authorization and identity proofing
- Explanation of the relationship between implementation tiers and profiles
- Expansion of the Framework for Cyber Supply Chain Risk Management
- New section added on self-assessment of cybersecurity risk
- Expansion of the section on disclosure of vulnerabilities by adding a new subcategory to the vulnerability disclosure lifecycle
Secretary of Commerce Wilbur Ross emphasized the importance of cybersecurity for national and economic security. Adopting the NIST Cybersecurity Framework gives companies a first line of defense against cyber threats. A companion “Roadmap for Improving Critical Infrastructure Cybersecurity” will be released by NIST later this year. They also have plans of hosting a webinar to discuss the updates of the Framework Version 1.1.