On December 5, 2017, the National Institute of Standards and Technology (NIST) released a revised draft of its proposed updates to its Framework for Improving Critical Infrastructure Cybersecurity. The revised draft includes a new section on communicating with stakeholders about cybersescurity requirements, addresses stakeholder concerns regarding cybersecurity supply chain risk management and measuring cybersecurity risks and benefits, and addresses six new topics, including the Cyber-Attack Lifecycle. NIST has updated both the Framework and its accompanying Roadmap.

The revised Framework includes a new section on Communicating Cybersecurity Requirements with Stakeholders. This addition outlines the importance of establishing a common language for interdependent stakeholders up and down the cybersecurity supply chain to use when communicating with each other about cybersecurity requirements. The Framework identifies the primary objective of Cyber Supply Chain Risk Management as “to identify, assess, and mitigate ‘products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain.’” NIST describes the SCRM as encompassing technology and non-technology suppliers and buyers, industrial control systems, cyber-physical systems, and connected devices generally. The revised Framework offers these organizations and their partners a method for ensuring that new products and services meet critical security requirements.

The revised Roadmap also addresses six new topics, including the Cyber-Attack Lifecycle. NIST defines the Cyber-Attack Lifecycle as “the sequence of events that a malicious agent undertakes to successfully penetrate a network for nefarious purposes.” The Roadmap highlights the importance of readily-available cyber threat information—including threat and vulnerability metrics—to improve risk management decision making. The update stresses the criticality of a “near-real time exchange of automated threat and vulnerability indicators between organizations and information sharing communities,” including Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), industry peers, supply chain partners, and security service providers. To support this critical need, NIST plans to continue its Cyber-Attack Lifecycle research and provide additional guidance through

• Machine-readable formats and automated mechanisms for sharing cyber threat information,
• Raising awareness of Coordinated Vulnerability Disclosure among stakeholders,
• Supporting private and public sector efforts to establish and streamline CVD approaches and methodologies,
• Supporting information sharing initiatives such as ISACs and ISAOs,
• Benchmarking and measuring fundamental scientific elements of big data analysis, and
• Developing NIST Special Publications on the secure application of big data analytic techniques.

NIST is currently accepting comments on the framework and roadmap through 11:59 PM EST, January 19, 2018, and plans to publish final versions of these documents in early 2018. Comments should be directed to cyberframework@nist.gov.