The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) recently released version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity, more widely known as the Cybersecurity Framework. US Secretary of Commerce Wilbur Ross made an appeal to C-level management for all companies in the United States to use the framework as the first line in their overall cyber-defense strategy. The framework was originally developed to address industries deemed vital to US national and economic security including energy, banking, communications and the defense industrial base. It has since proven flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state and local governments.
Increased Focus on Risk Management
The element of risk management is at the forefront of this new release. NIST hinted at this increased focus on risk management at the recent ARC Industry Forum in Orlando, where NIST Project Manager of Cybersecurity for Smart Manufacturing Systems Keith Stouffer hinted at methods, metrics, and tools to enable manufacturers to assess the cyber risk to their systems quantitatively. ARC is already seeing increased use of risk-based approaches to cybersecurity that borrow heavily from the HAZOP and risk matrix concepts in process safety. This NIST Framework stops short of being an actual model for cybersecurity risk management, but there are other resources that can do that well, including the IEC 62443 cybersecurity standard.
Version 1.1 of the NIST Framework includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure. Changes to the framework are based on feedback collected through public calls for comments, questions received by team members, and workshops held in 2016 and 2017. Two drafts of Version 1.1 were circulated for public comment to assist NIST in comprehensively addressing stakeholder inputs. A new section 4.0 called Self-Assessing Cybersecurity Risk explains how the Framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements.
An expanded Section 3.3 Communicating Cybersecurity Requirements with Stakeholders helps users better understand Cyber Supply Chain Risk Management (SCRM), while a new Section 3.4 Buying Decisions highlights use of the Framework in understanding risk associated with commercial off-the-shelf products and services. Additional Cyber SCRM criteria were added to the Implementation Tiers. Finally, a Supply Chain Risk Management Category, including multiple Subcategories, has been added to the Framework Core.
Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment, and collaboration. NIST is also planning a Cybersecurity Risk Management Conference—which will include a major focus on the framework—for November 6 through 8, 2018, in Baltimore, Maryland. Detailed information on the conference will soon be available on the Cybersecurity Framework website. The website also includes guidance for those new to the framework, links to framework-related tools and methodologies, and perspectives on the framework from those who use it.