The National Institute of Standards & Technology (NIST) has issued a revised draft version of its Cybersecurity Framework. The document is issued as “Version 1.1″ of the existing framework, redlined to show changes from the original framework issued almost three years ago. It is a draft, seeking comment. No period for public comment is specified, except that NIST expects to hold a public workshop on the revised draft “around the fall of 2017.”

Some key changes from the 2014 document are:

  • The addition of supply chain risk management to the framework. Supply chain risk management (a) is introduced as a factor in characterizing Implementation Tiers, (b) is discussed at some length in the description of how to use the Framework, and (c) is added to the “Identify” Core Function as part of initial risk assessment and standards mapping, along with references to standards on supply chain management.
  • The addition of identity management to access controls as part of the “Protect” Core Function, also with references to standards.
  • The addition of an entirely new section on cybersecurity metrics in the description of Framework implementation, including a detailed discussion of types of measurement.
  • The addition in the section on metrics of a discussion of “correlation to business results.” In connection with cybersecurity metrics, the proposed revision recognizes that “the relative cost effectiveness of various cybersecurity activities is an important consideration,” but is a complex factor that varies within a company from the board level, to senior executives, and to those who report to senior executives. Cost-effectiveness is described as achieving a business objective using minimum cybersecurity effort and expense. The new text highlights management metrics to enable cybersecurity to be factored into enterprise risk management more effectively.

The NIST Cybersecurity Framework was nominally aimed at critical infrastructure but, because it explicitly avoided a one-size-fits-all approach, it has proved widely adaptable to and adopted by organizations of all kinds. The revised draft embraces this wide application by adding a discussion of the relationship between the Framework and other guidelines for federal agencies, as well as additional explanation of how to use the Framework that makes it more accessible to different kinds of organizations.