NIST releases updated version of its Cybersecurity Framework
The changes to NIST’s Cybersecurity Framework are based on feedback collected through public calls for comments, questions received by team members, and workshops held in 2016 and 2017. Two drafts of Version 1.1 were released for public comment.
The new version is compatible with Version 1.0 and it remains flexible, voluntary, and cost-effective. Refinements and enhancements include a more comprehensive treatment of identity management and additional description of how to manage supply chain cybersecurity.
Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, describing key areas of development, alignment and collaboration.
The Framework consists of three parts: the Framework Core, the Implementation Tiers, and the Framework Profiles. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across sectors and critical infrastructure. Elements of the Core provide detailed guidance for developing individual organisational Profiles, which help organisations to align and prioritise their cybersecurity activities with its business/mission requirements, risk tolerances, and resources. The Tiers provide a mechanism for organisations to view and understand the characteristics of their approach to managing cybersecurity risk, which will help in prioritising and achieving cybersecurity objectives.
Some of the updates in Version 1.1 are described below.
New section on self-assessing cybersecurity risk
The new section explains how the Framework can be used by organisations to understand and assess their cybersecurity risk, including the use of measurements.
According to the Framework, in order to examine the effectiveness of investments, an organisation must first have a clear understanding of its organisational objectives, the relationship between those objectives and supportive cybersecurity outcomes, and how those discrete cybersecurity outcomes are implemented and managed.
The cybersecurity outcomes of the Framework Core support self-assessment of investment effectiveness and cybersecurity activities in several ways. This includes:
- Making choices about how different portions of the cybersecurity operation should influence the selection of Target Implementation Tiers
- Evaluating the organisation’s approach to cybersecurity risk management by determining Current Implementation Tiers
- Prioritising cybersecurity outcomes by developing Target Profiles
- Determining the degree to which specific cybersecurity steps achieve desired cybersecurity outcomes by assessing Current Profiles
- Measuring the degree of implementation for controls catalogs or technical guidance listed as Informative References
The Framwork also states that organisations should be thoughtful, creative, and careful about the ways in which they employ measurements to optimise use, while avoiding reliance on artificial indicators of current state and progress. They also should be clear about the limitations of measurements that are used.
Additional information on Cyber Supply Chain Risk Management
The updated version contains an expanded section on Communicating Cybersecurity Requirements with Stakeholders to help users better understand Cyber Supply Chain Risk Management (SCRM). In addition, a new Section, ‘Buying Decisions’ highlights use of the Framework in understanding risk associated with commercial off-the-shelf products and services.
Furthermore, additional Cyber SCRM criteria were added to the Implementation Tiers and a Supply Chain Risk Management Category, including multiple Subcategories, has been added to the Framework Core.
Cyber SCRM refers to the activities necessary to manage cybersecurity risk associated with external parties. It addresses both the cybersecurity effect an organisation has on external parties and the effect external parties have on an organisation.
Cyber SCRM activities may include determining cybersecurity requirements for suppliers; enacting cybersecurity requirements through formal agreement (e.g., contracts); communicating to suppliers how those requirements will be verified and validated; and verifying that the requirements are met through a variety of assessment methodologies.
The parties in the above diagram comprise an organisation’s cybersecurity ecosystem. The Framework states that these relationships, the products and services they provide, and the risks they present should be identified and factored into the protective and detective capabilities of organisations, as well as their response and recovery protocols.
The Framework provides a common language to communicate requirements among interdependent stakeholders responsible for the delivery of essential critical infrastructure products and services. For example, a critical infrastructure owner/operator, having identified an external partner on whom that infrastructure depends, may use a Target Profile to convey required Categories and Subcategories.
The Framework offers organisations and their partners a method to help ensure the new product or service meets critical security outcomes. the organisation can first selecting outcomes that are relevant to the context, such as transmission of Personally Identifiable Information (PII), mission critical service delivery, data verification services, product or service integrity and then evaluate partners against those criteria.
The objective should be to make the best buying decision among multiple suppliers, given a carefully determined list of cybersecurity requirements.
The Framework also notes that often this might mean some degree of trade-off, comparing multiple products or services with known gaps to the Target Profile.
Once a product or service is purchased, the Profile can be used to track and address residual cybersecurity risk. The organisation can address the residual risk through other management actions. The Profile also provides the organisation a method for assessing if the product meets cybersecurity outcomes through periodic review and testing mechanisms.
Refinements to better account for authentication, authorisation, and identity proofing
The language of the Access Control Category has been refined to better account for authentication, authorisation, and identity proofing. This included adding one Subcategory each for Authentication and Identity Proofing. The Category has also been renamed to Identity Management and Access Control (PR.AC) to better represent the scope of the Category and corresponding Subcategories.
Version 1.1 of the CyberSecurity Framework can be accessed here.