Request Demo

NIST Cybersecurity Framework

NIST Framework v1.1 Enhancements Widen Applicability Across Organizations and Industries


Whenever a new product is released into the marketplace, it’s often only a matter of time before revisions or enhancements are made to improve function and increase usage. That‘s the course taken by NIST on their latest draft of the Cybersecurity Framework.

The NIST Cybersecurity Framework provides a way for organizations to prioritize cybersecurity resources and help them make risk-related decisions. Using The Framework, they can identify, assess and take actions to reduce cyber risk, while enhancing communication within their organization and with partners, suppliers and regulators.

The first NIST Cybersecurity Framework, v1.0, was published in February 2014, after a year in development.  It was created by a collaboration of industry, academic and government stakeholders, and primarily targeted organizations that are part of our nation’s infrastructure. Four years after Framework v 1.0 was introduced, NIST released v1.1. The new goal was for Framework v1.1. to not only be flexible enough to be adopted by federal, state and local governments, but by large and small companies and organizations across all industry sectors. 


It Began with an Executive Order to Reduce Cyber Risk

In February 2013, a Presidential Order instructed the Secretary of Commerce to “lead the development of a framework to reduce cyber risks to critical U.S. infrastructure.“ There would be “a set of standards, methodologies, procedures and processes that would align policy, business and technological approaches to address cyber risks.” The result was the NIST Cybersecurity Framework v1.0., introduced in February 2014.

The rationale was to create a set of standards, guidelines and practices to help organizations tied to the nation’s financial, energy, healthcare and other critical systems better protect their information and physical assets from cyberattacks. TheFrameworkincorporated voluntary consensus standards and industry best practices consistent with voluntary international standards.

In 2015, the process for updating Cybersecurity Framework got underway, and in December 2017 NIST released the second draft of Framework v1.1. The new draft took into account public and private sector feedback received by NIST since v1.0 was published, including hundreds of written comments and conversations with over 1,000 participants at the 2016 and 2017 annual workshops, where CyberSaint’s Founder was also in attendance providing feedback on the Framework.In addition, two drafts of version 1.1 were circulated for public comments. 


Changes and Enhancements Found in Framework v1.1

The update was intended to clarify, refine and enhance the Framework, increasing its value and making it easier for even more organizations to use it in managing their cybersecurity risk. For the most part, the NIST Cybersecurity Framework v1.1 is consistent and fully compatible with v1.0, and it remains flexible, voluntary and cost-effective.

Here are some highlights of the v1.1 updates:

·       The Cybersecurity Framework declares its applicability for Information Technology, operational technology, cyber-physical systems and Internet of Things.

·        There is enhanced guidance for applying the framework to supply chain risk management, with greater emphasis on how a company manages its vendors.

·        The Access Control Category has been renamed Identity Management and Access Control, to better account for authentication, authorization and identity-proofing.

·       The new version administratively updates the Informative References.

·       Utility is clarified as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements.

·       A new section explains how the framework can be used to understand and assess cybersecurity risk, including using measurements for objective evaluation, especially for self-assessment, making it easier to compare current to past conditions.

·       A subcategory has been added related to the vulnerability disclosure lifecycle.

·       A new section focuses on assisting with platform buying decisions, by aiding in the understanding of the risk that comes with commercial, off-the-shelf products and services.

·        Further risk-management criteria were added to the Implementation Tiers.

In addition, NIST released an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment and collaboration. It also offers stakeholders another way to participate in Framework’s continuing development.


The Framework Updating Process Continues

Designed to be relevant for every size, sector, and type of organization, NIST’s latest Cybersecurity Framework draft has evolved to become more informative, useful and inclusive of organizations, in both government and the private sector. 

“The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Walter Copan, NIST director.

The NIST also continues to support the development of voluntary, industry-led cybersecurity standards and best practices. The process used to update the framework is now published on the Cybersecurity Framework website to ensure everyone involved will understand how future updates will be made.

If you have questions about Framework v1.1, its application. Updates or compatibility with other platforms, contact us at CyberSaint and we’ll be happy to discuss them with you. 

The CyberStrong Platform was built upon the depth and breadth of NIST, and with our NIST-vetted scoring model, the platform helps you get to NIST adoption rapidly without misdirected time and resources.

Follow our Linkedin for a curation of only the best resources.

You may also like

The Cybersecurity Skills Gap: The ...
on February 7, 2019

The cybersecurity skills gap is nothing new to the seasoned cyber professional. It has been widely discussed in cyber and information security circles for some time. The main flag ...

George Wrenn
The Post-Digitization CISO
on February 5, 2019

Information leaders in digital businesses, whether focusing on optimization or a full transformation, are inherently altering their position among the executive leadership. As ...

Integrated Risk Management and ...
on January 31, 2019

With technology permeating every aspect of a business, one begins to wonder what technology is reserved for digital risk management rather than the other facets of integrated risk ...

Department of Defense Launches ...
on January 29, 2019

The Defense Federal Acquisition Regulation Supplement (DFARS) mandate, specifically Clause 252.204-7012 requiring all members of the Department of Defense’s supply chain to comply ...

Digital Risk Management Frameworks
on January 24, 2019

As organizations continue to embrace digitization, security teams are faced with the challenge of keeping the enterprise secure while empowering growth and innovation. Many CISO’s ...

The Cybersecurity Impact Of The ...
on January 23, 2019

There has been a great deal of speculation around the cybersecurity posture of the nation in light of the most recent (and longest documented) government shutdown. I’ve seen two ...

George Wrenn