Search
Close this search box.

We are creating some awesome events for you. Kindly bear with us.

NIST releases updated version of its Cybersecurity Framework

NIST releases updated version of its Cybersecurity Framework

The U.S. Commerce Department’s National Institute of
Standards and Technology (NIST) has released
Version
1.1
of its popular Framework for Improving Critical Infrastructure
Cybersecurity.

The changes to NIST’s Cybersecurity
Framework
are based on feedback collected through public calls for
comments, questions received by team members, and workshops held in 2016 and
2017. Two drafts
of Version 1.1 were released for public comment.

The new version is compatible with Version 1.0 and it remains
flexible, voluntary, and cost-effective. Refinements and enhancements include a
more comprehensive treatment of identity management and additional description
of how to manage supply chain cybersecurity.

Later this year, NIST plans to release an updated companion
document, the Roadmap for Improving Critical Infrastructure Cybersecurity, describing
key areas of development, alignment and collaboration.

The Framework consists of three parts: the Framework Core,
the Implementation Tiers, and the Framework Profiles. The Framework Core is a
set of cybersecurity activities, outcomes, and informative references that are
common across sectors and critical infrastructure. Elements of the Core provide
detailed guidance for developing individual organisational Profiles, which help
organisations to align and prioritise their cybersecurity activities with its
business/mission requirements, risk tolerances, and resources. The Tiers
provide a mechanism for organisations to view and understand the
characteristics of their approach to managing cybersecurity risk, which will
help in prioritising and achieving cybersecurity objectives.

Some of the updates in Version 1.1 are described below.

New section on self-assessing
cybersecurity risk

The new section explains how the Framework can be used by
organisations to understand and assess their cybersecurity risk, including the
use of measurements.

According to the Framework, in order to examine the
effectiveness of investments, an organisation must first have a clear
understanding of its organisational objectives, the relationship between those
objectives and supportive cybersecurity outcomes, and how those discrete
cybersecurity outcomes are implemented and managed.

The cybersecurity outcomes of the Framework Core support
self-assessment of investment effectiveness and cybersecurity activities in several
ways. This includes:

  • Making choices about how different portions of
    the cybersecurity operation should influence the selection of Target
    Implementation Tiers
  • Evaluating the organisation’s approach to
    cybersecurity risk management by determining Current Implementation Tiers
  • Prioritising cybersecurity outcomes by
    developing Target Profiles
  • Determining the degree to which specific
    cybersecurity steps achieve desired cybersecurity outcomes by assessing Current
    Profiles
  • Measuring the degree of implementation for
    controls catalogs or technical guidance listed as Informative References

The Framwork also states that organisations should be thoughtful,
creative, and careful about the ways in which they employ measurements to
optimise use, while avoiding reliance on artificial indicators of current state
and progress. They also should be clear about the limitations of measurements
that are used.

Additional
information on Cyber Supply Chain Risk Management

The updated version contains an expanded section on
Communicating Cybersecurity Requirements with Stakeholders to help users better
understand Cyber Supply Chain Risk Management (SCRM). In addition, a new
Section, ‘Buying Decisions’ highlights use of the Framework in understanding
risk associated with commercial off-the-shelf products and services.

Furthermore, additional Cyber SCRM criteria were added to
the Implementation Tiers and a Supply Chain Risk Management Category, including
multiple Subcategories, has been added to the Framework Core.

Cyber SCRM refers to the activities necessary to manage
cybersecurity risk associated with external parties. It addresses both the
cybersecurity effect an organisation has on external parties and the effect
external parties have on an organisation.

Cyber SCRM activities may include determining cybersecurity
requirements for suppliers; enacting cybersecurity requirements through formal
agreement (e.g., contracts); communicating to suppliers how those requirements
will be verified and validated; and verifying that the requirements are met
through a variety of assessment methodologies.

Cyber Supply Chain Relationships/ Credit: NIST (Framework for Improving
Critical Infrastructure Cybersecurity, Version 1.1)

The parties in the above diagram comprise an organisation’s
cybersecurity ecosystem. The Framework states that these relationships, the
products and services they provide, and the risks they present should be
identified and factored into the protective and detective capabilities of
organisations, as well as their response and recovery protocols.

The Framework provides a common language to communicate
requirements among interdependent stakeholders responsible for the delivery of
essential critical infrastructure products and services. For example, a
critical infrastructure owner/operator, having identified an external partner
on whom that infrastructure depends, may use a Target Profile to convey
required Categories and Subcategories.

The Framework offers organisations and their partners a
method to help ensure the new product or service meets critical security
outcomes. the organisation can first selecting outcomes that are relevant to
the context, such as transmission of Personally Identifiable Information (PII),
mission critical service delivery, data verification services, product or
service integrity and then evaluate partners against those criteria.

The objective should be to make the best buying decision
among multiple suppliers, given a carefully determined list of cybersecurity requirements.

The Framework also notes that often this might mean some
degree of trade-off, comparing multiple products or services with known gaps to
the Target Profile.

Once a product or service is purchased, the Profile can be
used to track and address residual cybersecurity risk. The organisation can
address the residual risk through other management actions. The Profile also
provides the organisation a method for assessing if the product meets
cybersecurity outcomes through periodic review and testing mechanisms.

Refinements to better
account for authentication, authorisation, and identity proofing

The language of the Access Control Category has been refined
to better account for authentication, authorisation, and identity proofing.
This included adding one Subcategory each for Authentication and Identity
Proofing. The Category has also been renamed to Identity Management and Access
Control (PR.AC) to better represent the scope of the Category and corresponding
Subcategories.

Version 1.1 of the CyberSecurity Framework can be accessed here.

PARTNER

Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.

PARTNER

CTC Global Singapore, a premier end-to-end IT solutions provider, is a fully owned subsidiary of ITOCHU Techno-Solutions Corporation (CTC) and ITOCHU Corporation.

Since 1972, CTC has established itself as one of the country’s top IT solutions providers. With 50 years of experience, headed by an experienced management team and staffed by over 200 qualified IT professionals, we support organizations with integrated IT solutions expertise in Autonomous IT, Cyber Security, Digital Transformation, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Well-known for our strengths in system integration and consultation, CTC Global proves to be the preferred IT outsourcing destination for organizations all over Singapore today.

PARTNER

Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit www.planview.com.

SUPPORTING ORGANISATION

SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.

PARTNER

HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 

PARTNER

IBM is a leading global hybrid cloud and AI, and business services provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity and service.

Send this to a friend