Last week, the National Institute of Standards and Technology released version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity—more commonly known as the Cybersecurity Framework.
The first version of Cybersecurity Framework was initially issued in February 2014 as voluntary guidance for critical infrastructure organizations to better manage and reduce cybersecurity risk. Although it was designed specifically for companies that are part of the U.S. critical infrastructure, many other organizations, both from the public and private sector, have since then relied on the Cybersecurity Framework. The Framework has been used for a variety of purposes, including to raise cybersecurity awareness and to communicate with stakeholders within their organization, and as a strategic planning tool to assess cybersecurity risks and current practices.
As noted by NIST, the Cybersecurity Framework was, and continues to be, developed through ongoing engagement with stakeholders in government, industry, and academia. Version 1.1 in particular was the result of “eight public workshops, multiple Requests for Comment or Information, and thousands of direct interactions with stakeholders from across all sectors of the United States along with many sectors from around the world.” This collaboration has undoubtedly contributed to the framework’s popularity and success, as exemplified by the framework’s widespread adoption by organizations globally.
Version 1.1 of the Cybersecurity Framework provides new details on authentication and identity management, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure. Additionally, as explained by Matt Barrett, NIST’s program manager for the Cybersecurity Framework, Version 1.1 was written to “refine and enhance the original document and to make it easier to use.” The update, Barrett notes, “is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”
We have discussed the challenges by companies in creating the proper incentives for the development of sound cybersecurity practices. Initially, industry looked to certifications as a measure of compliance, such as PCI audits. Data breach events such as that experienced by retailer Target in 2012 exposed the inherent limits in an event-based system dependent on third-party audits. Indeed, it completely ignored the reality that cybersecurity is an iterative process – a cat-and-mouse game – as we must react to defend against the ever-developing tactics of hackers. It also ignored the practical necessity of creating direct accountability of the company and its employees, or in other words, the need to create a culture of sound security practices, recognizing security as a fundamental precept of a profitable company, rather than just a cost center. A Framework based on honest self-assessment applied to specified domains with measurable goals and a thoughtful governance structure invests the company in cybersecurity and continual improvement.
NIST actively encourages all businesses – regardless of size, industry, or sector – to review and consider the Framework as a helpful tool in managing cybersecurity risks.