On January 10, 2017, as the Obama administration draws to a close, the National Institute of Standards and Technology (“NIST”) released a long-awaited draft version 1.1 of its ground-breaking Framework for Improving Critical Infrastructure Cybersecurity. This draft revision builds upon the initial “version 1.0” of the cybersecurity framework, which NIST released in February, 2014, pursuant to an Executive Order issued by President Obama in February 2013 as part of his cybersecurity agenda. The initial framework was the result of a collaborative process involving industry, government and academia, supervised by NIST. The framework is a significant part of the federal government’s cybersecurity policy for improving the protection of critical parts of the government and industry from cyber attacks
According to NIST’s statement accompanying the release of draft version 1.1, “the updated framework aims to further develop NIST’s voluntary guidance to organizations on reducing cybersecurity risks [by] providing new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity.”
In addition, according to NIST, the draft update “incorporates feedback since the release of framework version 1.0, and integrates comments from the December 2015 Request for Information as well as comments from attendees at the Cybersecurity Framework Workshop 2016 held at the NIST campus in Gaithersburg, Maryland.
“We wrote this update to refine and enhance the original document and to make it easier to use,” said Matt Barrett, NIST’s program manager for the Cybersecurity Framework. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”
NIST further notes that, “in the renamed and revised ‘Identity Management and Access Control’ category, the draft clarifies and expands the definitions of the terms ‘authentication’ and ‘authorization.’ [NIST}also added and defined the related concept of “identity proofing.”
In the draft update, NIST also includes the concept of using metrics — measuring the business impact of using the framework of standards. “In the update we introduce the notion of cybersecurity measurement to get the conversation started,” Barrett said. “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion,” he added
As with the initial version, the update is also intended to be a voluntary framework – a tool for business and government agencies to use to evaluate their current cybersecurity posture, and to use as a method for assessing and improving their cybersecurity practices.
However, it should be noted that organizations that follow the NIST cybersecurity framework are not necessarily immune from FTC enforcement actions in the event of a data breach. As we reported in a September 2016 article, the FTC says the Framework “is not, and isn’t intended to be, a standard or checklist.” Instead, “[i]t’s meant to be used by an organization to determine its current cybersecurity capabilities, set individual goals, and establish a plan for improving and maintaining a cybersecurity program.”
Version 1.1 is organized much the same as the original version, as follows:
Section 1 provides an introduction and overview.
Section 2 describes the Framework components: the Framework Core, the Tiers, and the Profiles.
Section 3 presents examples of how the Framework can be used.
Section 4 describes how to use Framework for cybersecurity measurement.
Appendix A presents the Framework Core in a tabular format: the Functions, Categories, Subcategories, and Informative References.
Appendix B contains a glossary of selected terms.
Appendix C lists acronyms used in this document.
Appendix D is a detailed listing of updates between the Framework Version 1.0 and 1.1.
As explained by NIST, the Framework’s five “Core Functions” are not intended to form a serial path, or lead to a static desired end state. Rather, the Functions can be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk.
Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.
Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.
Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.
Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.
Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
Public comments to draft version 1.1 of the cybersecurity framework will be accepted until April 10. NIST is expected to hold a public workshop after the comment period ends.