Request Demo

NIST Cybersecurity Framework

What's New in the NIST Cybersecurity Framework 1.1

down-arrow

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), abbreviated as “NIST CSF”, provides a way for organizations to prioritize cybersecurity resources and help them make risk-related decisions. Using the CSF, businesses can identify, assess, and take actions to reduce cyber risk while enhancing communication within their organization and with partners, suppliers, and regulators.

A Summarized History of the NIST CSF

The first NIST Cybersecurity Framework, v1.0, was published in February 2014, after a year in development. Created by a collaboration of industry, academic, and government stakeholders, the first version of the NIST Cybersecurity Framework primarily targeted organizations that are part of the United States’ critical infrastructure sectors, in order to implement the appropriate activities to prevent cybersecurity events and ensure that each site is secure.  

The NIST Cybersecurity Framework Began with an Executive Order to Reduce Cyber Risk

In February 2013, a Presidential Order instructed the Secretary of Commerce to “lead the development of a framework to reduce cyber risks to critical U.S. infrastructure. “There would be “a set of standards, methodologies, procedures, and processes that would align policy, business, and technological approaches to address cyber risks.” The result was the NIST Cybersecurity Framework v1.0., introduced in February 2014.

The rationale was to create a set of standards, guidelines, and practices to help organizations tied to the nation’s financial, energy, healthcare, and other critical systems better protect their information and physical assets from cyber-attacks. The NIST Framework incorporated voluntary consensus standards and industry best practices consistent with voluntary international standards.

Built using three layers - the Framework Core, Framework Implementation Tiers, and Profiles - the CSF (also known as the Framework for Improving Critical Infrastructure Cybersecurity) was most remarkable for its outcomes-based approach to cybersecurity risk management, covering everything from policies and procedures for security awareness training to making sure that when sharing sensitive information, the data is encrypted and transmitted securely.

In 2015, the process for updating the NIST Cybersecurity Framework got underway, and in December 2017, NIST released the second draft of the NIST CSF 1.1. NIST Framework v1.1 was a new draft that took into account public and private sector feedback received by NIST since v1.0 was published, including hundreds of written comments and conversations with over 1,000 participants at the 2016 and 2017 annual workshops, where CyberSaint’s founders were also in attendance providing feedback on the NIST Cybersecurity Framework. Two drafts of version NIST CSF 1.1 were also circulated for public comments. 

What’s New In NIST Cybersecurity Framework V 1.1

Four years after the NIST Framework v1.0 was introduced, NIST released v1.1. The new goal was for Framework v1.1 to not only be flexible enough to be adopted by federal agencies, and state and local governments, but by large and small companies and organizations across all industry sectors.

The update clarifies, refines, and enhances the Framework - increasing its value and making it easier for even more organizations to use it in managing their cybersecurity risk. The NIST Cybersecurity Framework v1.1 is consistent with and builds upon v1.0, and it remains flexible, voluntary, and cost-effective to develop and implement within organizations who invest the time and resource into it.

Summary of Updates in NIST Cybersecurity Framework 1.1

  • NIST Guide cover-2Broader Applicability: The NIST Cybersecurity Framework declares its applicability for IT, OT, cyber-physical systems, and IoT.
  •  
  • Emphasis on Supply Chain: There is enhanced guidance for applying the CSF to vendor risk management.
  •  
  • Access Control Category Nomenclature: The Access Control Category has been renamed Identity Management and Access Control, to better account for authentication, authorization, and identity-proofing.
  •  
  • Updates to Informative References: The new version administratively updates the Informative References.
  •  
  • Terminology Clarification: The term “utility” is clarified as a structure and language for organizing and expressing compliance with an organization’s cybersecurity requirements.
  •  
  • Risk Assessment Guidelines: A new section explains how the NIST CSF can be used to understand and assess cybersecurity risk, especially for self-assessment, making it easier to compare current to past conditions.
  •  
  • New Subcategories: A subcategory has been added related to the vulnerability disclosure lifecycle.
  •  
  • Purchasing Guidance: A new section focuses on aiding in the understanding of the risk that comes with commercial, off-the-shelf products and services.
  •  
  • Risk Added to Implementation Tiers: Further risk-management criteria were added to the Implementation Tiers.

Also, NIST released an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment, and collaboration. 

The NIST Framework Updating Process Continues

Designed to be relevant for every size, sector, and type of organization, NIST’s latest Cybersecurity Framework draft has evolved to become more informative, useful, and inclusive of organizations, in both government and the private sector. 

“The release of the Cybersecurity Framework 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Walter Copan, NIST director.

The NIST also continues to support the development of voluntary, industry-led cybersecurity standards and best practices beyond the NIST Cybersecurity Framework. The process used to update the framework is now published on the Cybersecurity Framework website to ensure everyone involved understands how future updates are made.

 

You may also like

Prioritizing Cyber Risk Management ...
on July 6, 2020

The risk posed to organizations by cybersecurity threats is large and increasing. COVID-19 related adjustments at home and at work, the move to a remote workforce, and increasing ...

Alison Furneaux
Critical Capabilities of IT Risk ...
on June 22, 2020

Risk management is rapidly becoming the foundation of organizational security efforts, replacing checklist compliance as a cornerstone of a successful security program. This shift ...

What is Cyber Risk Management
on June 21, 2020

Risk management is a fundamental component of any successful organization and has been since the dawn of corporations as we know them. The primary function of risk management as a ...

Cybersecurity Risks Have Changed ...
on June 10, 2020

CyberSaint will host a cybersecurity risk management webinar, live on June 17th, 2020at 12:00pm EST and available on-demand when you register to attend with this link.  The recent ...

Alison Furneaux
What is NIST SP 800 30
on June 10, 2020

The National Institute of Standards and Technology’s Cybersecurity Framework (CSF) is known in cybersecurity as the gold standard framework for computer security guidance, it can ...

Cybersecurity Maturity Model ...
on July 1, 2020

Why DFARS / NIST SP 800-171? A few years back, the United States Department of Defense (DoD) released a new regulation, a Defense Federal Acquisition Regulation Supplement, or ...