The changes to NIST’s Cybersecurity
Framework are based on feedback collected through public calls for
comments, questions received by team members, and workshops held in 2016 and
2017. Two drafts
of Version 1.1 were released for public comment.
The new version is compatible with Version 1.0 and it remains
flexible, voluntary, and cost-effective. Refinements and enhancements include a
more comprehensive treatment of identity management and additional description
of how to manage supply chain cybersecurity.
Later this year, NIST plans to release an updated companion
document, the Roadmap for Improving Critical Infrastructure Cybersecurity, describing
key areas of development, alignment and collaboration.
The Framework consists of three parts: the Framework Core,
the Implementation Tiers, and the Framework Profiles. The Framework Core is a
set of cybersecurity activities, outcomes, and informative references that are
common across sectors and critical infrastructure. Elements of the Core provide
detailed guidance for developing individual organisational Profiles, which help
organisations to align and prioritise their cybersecurity activities with its
business/mission requirements, risk tolerances, and resources. The Tiers
provide a mechanism for organisations to view and understand the
characteristics of their approach to managing cybersecurity risk, which will
help in prioritising and achieving cybersecurity objectives.
Some of the updates in Version 1.1 are described below.
New section on self-assessing
The new section explains how the Framework can be used by
organisations to understand and assess their cybersecurity risk, including the
use of measurements.
According to the Framework, in order to examine the
effectiveness of investments, an organisation must first have a clear
understanding of its organisational objectives, the relationship between those
objectives and supportive cybersecurity outcomes, and how those discrete
cybersecurity outcomes are implemented and managed.
The cybersecurity outcomes of the Framework Core support
self-assessment of investment effectiveness and cybersecurity activities in several
ways. This includes:
- Making choices about how different portions of
the cybersecurity operation should influence the selection of Target
- Evaluating the organisation’s approach to
cybersecurity risk management by determining Current Implementation Tiers
- Prioritising cybersecurity outcomes by
developing Target Profiles
- Determining the degree to which specific
cybersecurity steps achieve desired cybersecurity outcomes by assessing Current
- Measuring the degree of implementation for
controls catalogs or technical guidance listed as Informative References
The Framwork also states that organisations should be thoughtful,
creative, and careful about the ways in which they employ measurements to
optimise use, while avoiding reliance on artificial indicators of current state
and progress. They also should be clear about the limitations of measurements
that are used.
information on Cyber Supply Chain Risk Management
The updated version contains an expanded section on
Communicating Cybersecurity Requirements with Stakeholders to help users better
understand Cyber Supply Chain Risk Management (SCRM). In addition, a new
Section, ‘Buying Decisions’ highlights use of the Framework in understanding
risk associated with commercial off-the-shelf products and services.
Furthermore, additional Cyber SCRM criteria were added to
the Implementation Tiers and a Supply Chain Risk Management Category, including
multiple Subcategories, has been added to the Framework Core.
Cyber SCRM refers to the activities necessary to manage
cybersecurity risk associated with external parties. It addresses both the
cybersecurity effect an organisation has on external parties and the effect
external parties have on an organisation.
Cyber SCRM activities may include determining cybersecurity
requirements for suppliers; enacting cybersecurity requirements through formal
agreement (e.g., contracts); communicating to suppliers how those requirements
will be verified and validated; and verifying that the requirements are met
through a variety of assessment methodologies.
The parties in the above diagram comprise an organisation’s
cybersecurity ecosystem. The Framework states that these relationships, the
products and services they provide, and the risks they present should be
identified and factored into the protective and detective capabilities of
organisations, as well as their response and recovery protocols.
The Framework provides a common language to communicate
requirements among interdependent stakeholders responsible for the delivery of
essential critical infrastructure products and services. For example, a
critical infrastructure owner/operator, having identified an external partner
on whom that infrastructure depends, may use a Target Profile to convey
required Categories and Subcategories.
The Framework offers organisations and their partners a
method to help ensure the new product or service meets critical security
outcomes. the organisation can first selecting outcomes that are relevant to
the context, such as transmission of Personally Identifiable Information (PII),
mission critical service delivery, data verification services, product or
service integrity and then evaluate partners against those criteria.
The objective should be to make the best buying decision
among multiple suppliers, given a carefully determined list of cybersecurity requirements.
The Framework also notes that often this might mean some
degree of trade-off, comparing multiple products or services with known gaps to
the Target Profile.
Once a product or service is purchased, the Profile can be
used to track and address residual cybersecurity risk. The organisation can
address the residual risk through other management actions. The Profile also
provides the organisation a method for assessing if the product meets
cybersecurity outcomes through periodic review and testing mechanisms.
Refinements to better
account for authentication, authorisation, and identity proofing
The language of the Access Control Category has been refined
to better account for authentication, authorisation, and identity proofing.
This included adding one Subcategory each for Authentication and Identity
Proofing. The Category has also been renamed to Identity Management and Access
Control (PR.AC) to better represent the scope of the Category and corresponding
Version 1.1 of the CyberSecurity Framework can be accessed here.