25 January 2017

NIST Issues Draft of Revisions to Cybersecurity Framework


"Just to be clear, we're not headed toward a version 2.0 right now. We're definitely not," Matt Barrett, the NIST program manager overseeing the cybersecurity framework updates, said in a recent interview. "We're headed to something that's more like a 1.1."

Indeed, the latest draft of the framework is titled Framework for Improving Critical Infrastructure Cybersecurity, Draft Version 1.

What's new in the draft? 

A new section on cybersecurity measurement. According to the draft, measuring security status and trends over time - internally, through external audit and through conformity assessment - enables an organization to understand and convey meaningful risk information. "In the update we introduce the notion of cybersecurity measurement to get the conversation started," Barrett said. "Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion." 

Types of Framework Measurements

  Note: Measures are concrete, usually measure one thing and are quantitative in nature. Metrics describe a quality and require a measurement baseline. Source: NIST 

A greatly expanded explanation of using the framework for cyber supply chain risk management purposes. An expanded section on communicating cybersecurity requirements with stakeholders, NIST contends, should help users better understand cyber supply chain risk management. NIST also added a supply chain risk management category to the framework core. "A primary objective of cyber SCRM is to identify, assess and mitigate products and services that may contain potentially malicious functionality, are counterfeit or are vulnerable due to poor manufacturing and development practices within the cyber supply chain," the draft states. 

Supply Chain Relationships Source: NIST 

Revised language in the access control category to account for authentication, authorization and identity proofing by adding a subcategory. Identity proofing verifies an individual's identity before they're issued credentials. Also, the category has been renamed identity management and access control to better represent its scope and subcategories. 

A better explanation of the relationship between implementation tiers and profiles. Implementation tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework. Profiles represent the outcomes based on business needs that an organization has selected from the framework categories. Profiles can be characterized as the alignment of standards, guidelines and practices to the framework core in a particular implementation scenario. 

NIST Seeks Stakeholder Feedback

In a February 2013 executive order, President Barack Obama directed NIST to create the cybersecurity framework to help the operators of the mostly privately owned critical infrastructure to safeguard their information assets (see Obama Issues Cybersecurity Executive Order). NIST published the framework a year later (see NIST Releases Cybersecurity Framework). It's been widely adopted by critical infrastructure and other organizations in and out of government.

Congress, in enacting the Cybersecurity Enhancement Act of 2014, codified the framework into law (see Codifying Process That Created the Cybersecurity Framework). The law establishes a process for the government to develop IT security best practices with advice from industry that organizations can voluntarily adopt.

Draft 1.1 incorporates feedback NIST has received from stakeholders since the initial release of the framework and integrates comments received from a December 2015 request for information and from attendees at a cybersecurity framework workshop held last year at its Gaithersburg, Md., headquarters.

No comments: