At the end of April, NIST released the v1.1 update to its Cybersecurity Framework (‘CSF’). (See our introduction to the Framework through our most recent blog article.) HORNE had the opportunity to attend the NIST update webinar last month. Below is a summary of the the latest updates to be considered by your organization if you currently utilize or plan to utilize the Cybersecurity Framework.
- As we noted previously, it is important to remember that NIST itself has no regulatory function; it merely provides the Cybersecurity Framework as a guide with no enforcement ability. Although there are some organizations that offer a ‘certification’ related to the Framework, those are not endorsed or required by NIST.
- The Framework is not a “maturity model” as it is so often presented. The Implementation Tiers must be subject to Cost/Benefit and prioritization of the organization. It is not advisable or practicable to achieve a Tier 4 (Adaptive) for each control activity in the Core.
- Users of v1.0 of the Framework are not required to adopt the new version and no references were changed. Users may continue to build upon 1.0 or keep 1.0 knowing that it will continue to be operable with the latest version.
- Subcategories are focused on outcomes. Organizations should pay special attention to the verbs used within each subcategory, such as “identified,” “established,” “assessed,” etc.
- The listing of “Information Resources” is not comprehensive. Some references may not be included for brevity.
Updates and New Additions
The following items were updated in the Framework:
- Clarified terms such as “compliance” can mean different things to different stakeholders and typically lead to confusion.
- The section, “Communicating Cybersecurity Requirements with Stakeholders,” was expanded to help users better understand Cyber Supply Chain Risk Management (SCRM).
- The “Access Control” category was refined and renamed to “Identity Management and Access Control” to better account for authentication, authorization, and identity proofing.
- Language was added to the section “Establish or Improving a Cybersecurity Program” around using Framework Tiers during implementation.
- Framework Tiers language was added to reflect the integration of considerations within organizational risk management programs.
- Framework Tier concepts were refined and actions included.
The following items were added as new:
- A new category, “Supply Chain Risk Management,” has been added to the Core.
- “Self-Assessing Cybersecurity Risk with the Framework” explains how the Framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements.
- “Buying Decisions” highlights use of the Framework in understanding risk associated with commercial off-the-shelf products and services.
- New Cyber SCRM criteria were added to the Implementation Tiers.
- New subcategories were added for “Authentication” and “Identity Proofing.”
- New subcategory related to the vulnerability disclosure lifecycle was added.
What the Future Holds
In late 2018, NIST plans to release an updated companion to the Framework, titled the “Roadmap for Improving Critical Infrastructure Cybersecurity,” which will describe key areas of development, alignment and collaboration. HORNE will examine the document upon its release and distribute a follow up blog that will highlight the need-to-know information for organizations implementing the Framework.