NIST CSF Update Uses Valuable Feedback to Make Invaluable Changes: How Businesses Can Approach v1.1

Do you have comments about the Cybersecurity Framework?If so, the National Institute of Standards and Technology would be interested in hearing from you. NIST released the second draft of Cybersecurity Version 1.1 late last year, incorporating feedback received since the release of Version 1.0 in 2014. It was user feedback that prompted the Cybersecurity Framework update.

As directed by the Cybersecurity Enhancement Act of 2014, NIST continues to promote and support the development of voluntary cybersecurity standards and best practices. According to NIST, the process of updating Cybersecurity Framework from version 1.0 to version 1.1 began in 2015, and is the based on substantial stakeholder discussion (including over 200 written comments and conversations with more than 1,200 participants at the 2016 and 2017 annual workshops).

 

Working Toward a Standard

NIST published the first Cybersecurity Framework in February 2014 in response to a presidential order to improve critical infrastructure cybersecurity. NIST was charged with taking the lead in developing a framework that would include “a set of standards, methodologies, procedures, and processes that align policy, business and technological approaches to address cyber risks.” It was a voluntary framework developed through a collaborative process by industry, academia and government stakeholders.

The Cybersecurity Framework was intended to incorporate voluntary consensus standards and industry best practices to be consistent with voluntary international standards as well. The Framework is designed to be relevant for every size, sector, and type of organization. It offers ways to prioritize cybersecurity resources, make risk decisions, and take actions to reduce risk. It helps organizations identify, manage and assess cybersecurity risks, and enhances cybersecurity communication internally as well as externally with organizations, management, boards, partners and suppliers. Download The Ultimate NIST Cybersecurity Framework Guide for free.

 

 

Widespread Acceptance of The Framework

 

Initially, the Framework was meant to focus on managing cyber risk in industries critical to national and economic security, including energy, banking, communications and defense. Now, it has shown to be flexible enough that is has been adopted voluntarily by both large and small companies and organizations across many industries, well beyond the those sectors.

Speaking to the Framework’s update: “This update refines, clarifies and enhances Version 1.0,” said Matt Barrett, program manager for the Cybersecurity Framework. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments, such as information technology, industrial control systems and the Internet of Things.”

Industry surveys from companies like Gartner and Cisco indicate growing use of the framework over time. Corporations, organizations and countries around the world, including Italy, Israel and Uruguay, have adopted the Framework or even created their own adaptation of it based on what applies to them.

“From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry and academia,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan. “The impact of their work is evident in the widespread adoption of the framework by organizations across the United States, as well as internationally.”

 

 

 

Making Revisions Based on Public Comments

The framework in both versions 1.0 and 1.1 is intended to be neutral in regard to adopting specific technologies, but the new version calls out its effect on information technology, cyber-physical systems and the Internet of Things. Version 1.1 includes updates on:

  • Authentication and identity

  • Self-assessing cybersecurity risk

  • Managing cybersecurity within the supply chain

  • Vulnerability disclosure

The changes to the framework are based on feedback collected through public calls for comments, questions received by team members, and workshops held in 2016 and 2017. Two drafts of Version 1.1 were circulated for public comment to assist NIST in comprehensively addressing stakeholder input.

Significant revisions to cybersecurity measurement language emphasize the correlation of business results to cybersecurity risk management through multiple uses of measurement. Self-assessment has always been an important part of cyber protection. With objective measurements to assess current conditions and make comparisons, it will be easier to see if an organization’s cybersecurity posture has improvedor worsened over time. The new draft also encourages organizations to continue with self-testing and assessment across all of their relevant environments.

 

An Ongoing Process for Improvement

The process for gathering feedback that was used to update Framework v1.0 received high praise from the cybersecurity community and was continued during the development of v1.1. It has evolved to be more informative, useful, and inclusive of all types of organizations past ust critical infrastructure, especially now attractive to those with a large supply chain.

“Engagement and collaboration will continue to be essential to the framework’s success,” said Barrett. “The Cybersecurity Framework will need to evolve as threats, technologies and industries evolve. With this update, we’ve demonstrated that we have a good process in place for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk.”

The process used to update the framework is published on the Cybersecurity Framework websiteto ensure everyone understands how future updates will be made. NIST’s website also includes guidance for those new to the frameworkand perspectives on the framework from users.

Download The Ultimate NIST Cybersecurity Framework Guide for free.We’ll also be glad to answer any of your questions about how Framework can become the basis of your company’s cybersecurity program moving forward, positioning adoption a natural, simplistic and robust manner. CyberStrong was built upon the Framework and uses credible measurement to help you streamline adoption across your enterprise, as well as clearly identify areas to improve and the most efficient path to reach your goals. Get a free demo of CyberStrongand get a quick overview on how our innovative SaaS platform can enhance and improve your current cyber program.