NIST Releases an Updated Cybersecurity Framework for Comment

Author photo: Eric Cosman
ByEric Cosman
Category:
Technology Trends

On January 9, 2017, The National Institute of Standards and Technology (NIST) issued a draft update to the Framework for Improving Critical Infrastructure Cybersecurity (“The Cybersecurity Framework”).

NIST published the Framework in 2014, after extensive consultation with a wide range of stakeholders in the public and private sector. This was one of the more significant responses to U.S. Presidential Directive 13636. Use of the Framework is voluntary, and those choosing to apply it are encouraged to customize the Framework to maximize organizational value.

While the primary purpose of the Framework is to provide a voluntary framework to help organizations manage cybersecurity risk in the nation’s critical infrastructure, many other types of organizations across the country and around the world have also adopted it. NIST and others have developed a variety of information in support of the Framework, including a manufacturing profile that was released late last year.

The original Framework broke the cybersecurity response down into five functions: Identify, Protect, Detect, Respond, and Recover. Each of those is further broken down into several categories — 23 in all. They include topics such as “Risk Assessment,” “Awareness and Training” and “Response Planning.” It also introduced the concepts of tiers and profiles as tools that can be used in Framework implementation.

Recognizing that the first edition of the Framework had gaps, NIST also released a companion document (NIST Roadmap for Improving Critical Infrastructure Cybersecurity) that highlighted key “areas of improvement” for further “development, alignment, and collaboration.”

The updated Framework builds on the original version, addressing several of the topics in this roadmap. It also incorporates feedback, including comments, in response to NIST’s December 2015 Request for Information; questions frequently asked of NIST staff; and comments from 800 attendees at the April 2016 Cybersecurity Framework Workshop at the NIST campus in Gaithersburg, Maryland. NIST described the update as “…providing new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity…”

The authors revised several sections of the Framework with this update, while adding new material on several topics. All changes are clearly marked and tracked in the review copy of the document. Specific topics addressed include:

Supply Chain Risk Management (SCRM)

The authors added considerations of SCRM throughout the document, including an expanded section on the subject of communicating cybersecurity requirements with stakeholders to help users better understand Cyber SCRM. Cyber SCRM has also been added as a property of Implementation Tiers.

There is a new Category called “Supply Chain Risk Management” in the Framework core, under the Identify function.

There is also a vocabulary so all organizations working together on a project can clearly understand cybersecurity needs. The draft also includes several examples of cyber supply chain risk management, including a small business selecting a cloud service provider and a federal agency contracting with a system integrator to build an IT system.

Other standards and practices also address various aspects of supply chain risk management. For example, the ISA99 committee and IEC Technical Committee 65 have included it is various parts of the ISA and IEC 62443 series of standards.

Authentication, Authorization, and Identity Proofing

The revised draft also renames “Access Control” as “Identity Management and Access Control,” to better reflect the real nature of the task. This includes clarification and expansion of the definitions of the terms “authentication” and “authorization.” Authors also added and defined the related concept of “identity proofing.”

The Relationship Between Implementation Tiers and Profiles

The revised draft includes added language to Section 3.2 (Establishing or Improving a Cybersecurity Program) on using Tiers in Framework implementation. The description of Tiers now reflects the integration of Framework considerations within organizational risk management programs.

Tiers and Profiles are often confused with the use of a maturity model approach to assessing program effectiveness and planning improvements.

The updated Framework is available for review and comment until April 10, 2017. To aid reviewers in preparing their response NIST has posed the following specific questions:

  1. Are there any topics not addressed in the draft Framework Version 1.1 that could be addressed in the final?
  2. How do the changes made in the draft Version 1.1 impact the cybersecurity ecosystem?
  3. For those using Version 1.0, would the proposed changes impact your current use of the Framework? If so, how?
  4. For those not currently using Version 1.0, does the draft Version 1.1 affect your decision to use the Framework? If so, how?
  5. Does this proposed update adequately reflect advances made in the Roadmap areas?
  6. Is there a better label than “version 1.1” for this update?
  7. Based on this update, activities in Roadmap areas, and activities in the cybersecurity ecosystem, are there additional areas that should be added to the Roadmap? Are there any areas that should be removed from the Roadmap?

The answers to these questions, as well as any other feedback and comments, will be used to finalize the next edition, which is expected to be available around the end of 2017.

Representatives from NIST will be providing more information about the revised Framework and related topics at the ARC Industry Forum in Orlando.

Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients