Revising its guidance on internal assessments and highlighting the importance of managing cybersecurity within supply chains, the National Institute of Standards and Technology (NIST) released the second draft of Version 1.1 of the “Framework for Improving Critical Infrastructure Cybersecurity” (the Framework) on December 5, 2017, for public comment through January 19, 2018. The second draft brings NIST one step closer to adopting a revised Framework suitable for use by all industry sectors in managing and mitigating cybersecurity risk.
The Framework, first established pursuant to an Executive Order in 2014,1 is a set of voluntary standards, recommendations and best practices that aims to help organizations of all types to manage cybersecurity risk in a “cost-effective way based on business needs without placing additional regulatory requirements on businesses.” The NIST Framework initially focused on critical infrastructure like power plants, but the recently released second draft of Version 1.1 clarifies the Framework’s broader applicability to technology, including information technology (IT), operational technology (such as industrial control systems, or ICS), cyber-physical systems, and the Internet of Things. The “smarter” and more integrated devices are—whether SCADA systems or refrigerators—the greater the cyber vulnerability may be.
Importantly, NIST intends that Version 1.1 be compatible with Version 1.0 to make it easy for businesses to update their procedures with little or no disruption. Thus, draft Version 1.1 retains the three key parts of the original Framework—the Framework Core, the Framework Implementation Tiers and the Framework Profile—and updates and clarifies implementation guidance. Additional details regarding NIST’s proposed revisions follow.
Second Draft of Framework Version 1.1
One of the two most important features of this second draft concerns the addition of new language on vulnerability disclosures and refocused language on internal cyber assessments. Specifically, in these revisions, NIST clarified and revised cybersecurity measurement language by revising the Framework to emphasize the correlation of business results to cybersecurity risk management. Instead of focusing on outside assessment of the use of the Framework, the revised Framework would promote the use of internal self-assessment to measure the effectiveness of using the Framework.
Second, NIST provided clarification regarding the use of the Framework to manage cybersecurity within supply chains, a critical yet often overlooked vulnerability. The revised section 3.3 of the Framework specifically highlights the importance of communication within a supply chain as an important way to manage cybersecurity risk. The supply chain is a topic that received significant scrutiny from stakeholders in their comments on the first draft of Version 1.1 of the Framework.
In addition, NIST made several other changes, including: (i) refinements to the Framework to address authentication, authorization and identity proofing; (ii) adding a subcategory related to the vulnerability disclosure lifecycle; and (iii) the removal of guidance for federal agencies in light of separate presidential guidance.
Finally, NIST published a revised draft Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1 (the Roadmap), which details public and private efforts to support the Framework. The goal of the Roadmap is to “describe plans for advancing the Framework development process, discuss [NIST’s] next steps with the Framework, and identif[y] key areas of development, alignment, and collaboration.” NIST explains that the topics outlined in the Roadmap have been identified by stakeholders and should “inform future versions of the framework.”
Comments on the Second Draft of the Framework
NIST is requesting public comment on the second draft of Framework Version 1.1 and is specifically seeking comments on the following questions:
- Do the revisions in Version 1.1 reflect the changes in the current cybersecurity ecosystem (threats, vulnerabilities, risks, practices and technological approaches), including those developments in the Roadmap items?
- For those using Version 1.0, would the proposed changes affect your current use of the Framework? If so, how?
- For those not currently using Version 1.0, would the proposed changes affect your decision about using the Framework? If so, how?
NIST is accepting comments through January 19, 2018, and intends to issue a revised Framework Version 1.1 in early 2018.