First Update of NIST’s Cybersecurity Framework Released

Earlier this month, the National Institute of Standards and Technology updated its Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) with new guidelines and advice regarding best practices in the field of cybersecurity.

Since its first publication in 2014, the Cybersecurity Framework has been widely influential and many critical infrastructure owners and public and private sector organisations use the Framework to shape their own cybersecurity programs. Although the framework was initially targeted at those working in the critical infrastructure industry, the framework’s guidelines are broad and may be applied in a variety of different professional settings. This flexibility has allowed it to be adopted by a wide range of businesses, large and small. Due to the huge increase in the use of mobile technologies in the healthcare industry, more and more healthcare organisations have looked to the Cybersecurity Framework for guidance.

The Cybersecurity Framework incorporates guidelines, standards, and best practices and offers a flexible approach to cybersecurity. It is designed such that organisations can take a customised approach to cybersecurity, suiting the size of their organisation and the scale on which it operates. The Framework helps organisations address different threats and vulnerabilities and matches various levels of risk tolerance.

Since its inception, the Framework was designed to be updated and improved over time, to evolve and change with the industries which it helps. The document is updated in response to research about user experience, and changes its guidelines regarding best practices accordingly. It evolves in response to new threats and advances in technology. The new version is the first major update to the framework since 2014 and the result of two years of development.

NIST’s Matt Barrett, program manager for the Cybersecurity Framework, explained that the latest version “refines, clarifies and enhances version 1.0.” While several changes have been made in Version 1.1, Barrett explained, “It is still flexible to meet an individual organisation’s business or mission needs and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”

Version 1.1 of the Cybersecurity Framework includes several updates in response to comments and feedback received in 2016 and 2017 from organisations that have already adopted the Framework. In particular, guidelines on authentication, authorisation and identity proofing are updated. Version 1.1 also offers a better explanation of the relationship between implementation tiers and profiles. 

In response to the increasing threats of phishing and hacking, the Framework for Cyber Supply Chain Risk Management has been significantly expanded and there is a new section on self-assessment of cybersecurity risk. The section on disclosure of vulnerabilities was expanded with a new subcategory added related to the vulnerability disclosure lifecycle.

Commenting on the updates, the Secretary of Commerce, Wilbur Ross, said: “Cybersecurity is critical for national and economic security. The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must-do for all CEO’s.”

NIST is also planning to release a companion ‘Roadmap for Improving Critical Infrastructure Cybersecurity’ later this year and will be hosting a webinar later this month to explain and discuss the version 1.1 updates to the Framework.