NIST refines Cybersecurity Framework
- By Sara Friedman
As a first line of defense, the National Institute of Standards and Technology’s Cybersecurity Framework helps federal, state and local governments -- as well as organizations across all industry sectors -- manage cybersecurity-related risk.
Version 1.1 is an update to the original released in February 2014 and is meant to serve as a living document where changes can be made as cyber environments and risks shift.
The two versions are fully compatible. The additions, including new categories and subcategories, do not invalidate uses or work products in the first version of the Framework. “We didn’t want to change the framework substantially so the two frameworks could work with each other,” NIST Cybersecurity Framework Program Manager Matt Barrett said during an April 27 webinar on the Framework update.
The changes to the framework are based on feedback collected through public calls for comments, questions received by team members and workshops held in 2016 and 2017.
Changes include adding a new category for managing supply chain risk, that includes an assessment process for commercial off-the-shelf IT products and services.
Eight subcategories were added, and language was refined in several places, such as clarifying what “compliance” means for various stakeholders. A new section on self-assessment for cybersecurity risk was added, and the access control category has also been changed to better account for authentication, authorization and identity proofing.
In addition, information has been added to implementation tiers and profiles to reflect considerations within an organization’s risk management program. Another subcategory has also been added to address coordinated vulnerability disclosure.
Read Version 1.1 of the Framework here.