On April 16, 2018, the National Institute of Standards and Technology issued an updated form of its Framework for Improving Vital Infrastructure Cybersecurity (Cybersecurity Structure).
The Cybersecurity Structure was first released in February 2014 and has been extensively accepted by vital infrastructure proprietors and public and private sector companies to steer their cybersecurity plans. Although envisioned for use by critical infrastructure industries, the flexibility of the framework implies it can also be implemented by a wide variety of companies, small and large, including healthcare businesses.
The Cybersecurity Framework includes procedures, standards, and best practices and suggests a flexible approach to cybersecurity. There are numerous methods that the Framework can be used with sufficient possibility for customization. The Framework assists companies tackle different dangers and weaknesses and matches different levels of danger tolerance.
The Framework was envisioned to be a living document that can be revised and improved over time in reaction to comment from users, altering best practices, new dangers, and advances in technology. The new form is the first main update to the framework since 2014 and the consequence of two years of development.
NIST’s Matt Barrett, program manager for the Cybersecurity Framework, described that the latest form “clarifies, refines and increases version 1.0.” While numerous modifications have been made in form 1.1, Barrett described, “It is still flexible to meet an individual company’s business or mission requirements and applies to a wide variety of technology situations such as industrial control systems, information technology and the Internet of Things.”
Version 1.1 of the Cybersecurity Framework includes several updates in response to comments and feedback received in 2016 and 2017 from organizations that have already adopted the Framework.
Form 1.1 sees improvements to the procedures on authorization, authentication and identity proofing and a better description of the connection between application levels and profiles. The Framework for Cyber Supply Chain Risk Management has been considerably extended and there is a new section on self-assessment of cybersecurity danger. The section on the revelation of weaknesses has also been expanded with a new subdivision added related to the weakness disclosure lifespan.
“Cybersecurity is important for national and economic safety,” stated Secretary of Commerce Wilbur Ross. “The charitable NIST Cybersecurity Framework must be every company’s first line of defense. Adopting form 1.1 is a must do for all CEO’s.”
NIST is also forecasting to issue a companion ‘Roadmap for Improving Vital Infrastructure Cybersecurity’ later this year and will be holding a webinar later this month to describe and discuss the form 1.1 updates to the Framework.