On January 10, 2017, the National Institute of Standards and Technology (“NIST”) released proposed updates to the Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework”). The proposed updates, which are found in Version 1.1 of the Cybersecurity Framework, are derived from feedback received by NIST regarding the first version, including from responses to a December 2015 request for information and discussions at a workshop held in April 2016.
The Version 1.1 draft contains the following key updates to the Cybersecurity Framework:
- a new section on cybersecurity measurement;
- an expanded explanation of using the Cybersecurity Framework for cyber supply chain risk management purposes;
- refinements to better account for authentication, authorization and identity proofing; and
- better explanation of the relationship between the Cybersecurity Framework’s implementation tiers and profiles.
NIST is seeking public comment on the proposed updates to the Cybersecurity Framework, specifically regarding the following questions:
- Are there any topics not addressed in the Version 1.1 draft that could be addressed in the final?
- How do the changes made in the Version 1.1 draft impact the cybersecurity ecosystem?
- For those using the first version of the Cybersecurity Framework, would the proposed changes impact your current use of the Cybersecurity Framework?
- For those not currently using the first version, does the Version 1.1 draft affect your decision to use the Cybersecurity Framework?
- Does this proposed update adequately reflect advances made in the Roadmap areas?
- Is there a better label than “Version 1.1” for this update?
- Based on this update, activities in Roadmap areas and activities in the cybersecurity ecosystem, are there additional areas that should be added to the Roadmap? Are there any areas that should be removed from the Roadmap?
NIST intends to review comments and convene a workshop on the Cybersecurity Framework. After doing so, NIST indicated that it plans to publish a final version of the updated Cybersecurity Framework around the fall of 2017.