Last week, the National Institute of Standards and Technology (NIST), a measurement standards laboratory in the United States Department of Commerce, released draft version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity.
In February 2014, NIST released version 1.0 of its Cybersecurity Framework pursuant to Executive Order 13636 by President Obama. The Cybersecurity Framework was the result of a collaborative effort between industry, academia, and government agencies, and was intended to develop a framework to assist the operators of the nation’s critical infrastructure, such as bridges and the electric power grid, in managing cybersecurity risk. The Cybersecurity Framework has grown to be accepted and adopted by a wide range of businesses and organizations as the standard for cybersecurity preparedness.
The Cybersecurity Framework is broken down into three parts: (1) Core; (2) Tiers; and (3) Profiles. The Core describes activities, outcomes and references which detail approaches to different aspects of cybersecurity. The Tiers are used by an organization to determine how it views cybersecurity risks and the degree of sophistication in its management approaches. The Profiles are a list of outcomes that an organization chooses from the categories and subcategories, based on its business needs and risk assessments.
The Core is divided into the following five functions:
- Identify: Determine the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover: Develop and implement he appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Each function is further divided into categories, totaling 23 in all. For example, Asset Management, Governance, Risk Assessment, and Risk Management Strategy are categories under the Core function of Identify. While Access Control, Data Security, Information Protection Processes and Procedures, and Maintenance are categories under the Core function of Protect.
Version 1.1 Updates
Draft Version 1.1 “incorporates feedback since the release of version 1.0, and integrates comments from the December 2015 Request for Information as well as comments from attendees at the Cybersecurity Framework Workshop 2016 held at the NIST campus in Gaithersburg, Maryland.” According to NIST, “[p]roviding new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity, the updated framework aims to further develop NIST’s voluntary guidance to organizations on reducing cybersecurity risks.”
Draft Version 1.1 adds “Supply Chain Risk Management” (SCRM) as a new category under the Identify function of the Core functions. The draft update states that “[a] primary objective of cyber SCRM is to identify, assess and mitigate ‘products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain.” Cyber SCRM encompasses cybersecurity throughout the entire supply chain from vendors, suppliers and information technology (IT) and operational technology (OT) partners.
Draft Version 1.1 incorporates a common vocabulary to enable risk management collaborators along the supply chain to coordinate their efforts and suggests several SCRM activities, including determining cybersecurity requirements for suppliers and IT and OT partners; enacting cybersecurity requirements through formal agreements; communicating to suppliers and partners how cybersecurity standards will be verified and validated; and verify cybersecurity requirements are met through a variety of assessment methodologies.
Draft Version 1.1 also renames the category “Access Control” under the Protect function as “Identity Management and Access Control,” and refines the definitions of the terms “authentication,” and “authorization,” in that section. It further adds the concept of “identity proofing” to that section.
NIST also introduces the concept of using metrics to measure the business impact of adopting the framework in Draft Version 1.1. The objective of measuring cybersecurity would be to correlate cybersecurity with business outcomes so as to enable organizations to better understand and assess the value of cybersecurity. As NIST notes: “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.”1
Draft Version 1.1 is open for public comment until April 10, 2017.
Version 1.1 of the NIST Cybersecurity Framework is intended to be voluntary. However, given the widespread acceptance of version 1.0 of the Framework as a standard for organizations to evaluate their cybersecurity postures and assess and improve their cybersecurity practices, organizations would be prudent to consider adopting version 1.1 once it is finalized. Organizations that adhere to the NIST Cybersecurity Framework are not necessarily immune from litigation and FTC enforcement actions in the event of a cybersecurity incident. But, those organizations that fail to conform to the Framework are much more likely to be found liable in the event of such an incident.