NIST Releases Update to Cybersecurity Framework
The National Institute of Standards and Technology (NIST) released a new version of its popular Cybersecurity Framework last week.
The National Institute of Standards and Technology, an agency that operates under the United States Department of Commerce to develop standards and guidelines that many government entities and companies comply with, released an update to its Cybersecurity Framework last week.
While it wasn't initially formed as a regulatory body, the framework – also known by its full name, Framework for Improving Critical Infrastructure Cybersecurity – is one of the more commonly adopted set of security standards, alongside provisions like DFARS, ISO, GDPR, HIPAA, and SOC2. The framework was developed to complement the energy, banking, communications and the defense industrial base sector but has found its way into other industry sectors, including the government sector, over the last four years.
Only 30 percent of U.S. organizations used the framework in 2015 but that figure is expected to rise to 50 percent by 2020, according to Gartner.
The update, version 1.1, includes tweaks to the framework's authentication and identity, self-assessing cybersecurity, managing cybersecurity within the supply chain, and vulnerability disclosure sections.
“This update refines, clarifies and enhances Version 1.0,” Matt Barrett, program manager for the Cybersecurity Framework said in a release. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”
In the latest revision the framework added two subcategories for both Authentication and Identity Proofing, in hopes to better account for authentication, authorization, and identity proofing.
What is NIST Compliance? (Checklist, Definition, & More)
The section on self-assessing cybersecurity risk is really the largest addition to the framework however. It explains how the Cybersecurity Framework can be used by organizations to understand risk, and how organizations should use measurements to optimize its use.
“The development of cybersecurity performance metrics is evolving. Organizations should be thoughtful, creative, and careful about the ways in which they employ measurements to optimize use, while avoiding reliance on artificial indicators of current state and progress in improving cybersecurity risk management,” the document reads. “Judging cyber risk requires discipline and should be revisited periodically.”
“Tracking security measures and business outcomes may provide meaningful insight as to how changes in granular security controls affect the completion of organizational objectives. Verifying achievement of some organizational objectives requires analyzing the data only after that objective was to have been achieved.”
The supply chain risk management (SCRM) sections, 3.3 and 3.4, delve into risks associated with commercial off-the-shelf products, and highlights the "crucial role of cyber SCRM in addressing cybersecurity risk in critical infrastructure and the broader digital economy."
NIST is encouraging users to review the 55-page document, (.PDF) released last Monday, but customize it to enhance how it affects their organization’s value.
It's not the last update NIST plans around the framework; it said last week it plans to release a companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which, something it claims will describe areas of development, alignment and collaboration, later this year..
President Trump issued an executive order last May mandating that federal agencies adopt the framework to assess and manage cyber risk. The framework was initially created by an Obama executive order in 2013 and run out of the Commerce Department. Trump's EO zigged where Obama zagged; Obama encouraged critical infrastructure stakeholders to adopt it voluntarily.
In a written testimony this week, Eric Rosenbach, a Lecturer in Public Policy and co-director of Harvard University's Belfer Center for Science and International Affairs told senators that Congress should mandate all critical infrastructure providers to adopt the framework. Rosenbach, who testified before the United States Senate Committee on Homeland Security and Governmental Affairs on Wednesday cited recent ransomware attacks on the city of Atlanta and Boeing to drive home his point that there are palpable threats that need addressing.
"Cyber risk affects all corners of our economy and society. It is a whole-of-nation threat. It can only be successfully addressed with a whole-of-nation effort. The Government has a leading role to play. But ultimately, actions by private enterprise and non-government organizations will be keyto our success," Rosenbach wrote, "Congress can do more to incentivize the private sector to act."
Image of NIST's Boulder, CO location via NIST