NIST Cybersecurity Framework Version 1.1 Published

April 28, 2018


The National Institute of Standards and Technology circulated an updated edition of its Framework for Refining Critical Infrastructure Cybersecurity (Cybersecurity Framework) on April 16, 2018.

The Cybersecurity Framework was first published in February 2014 and has been extensively adopted by important infrastructure proprietors and public and private sector businesses to help in their cybersecurity programs. Although planned to be used by critical infrastructure companies, the flexibility of the framework implies it can also be used by a wide variety of companies, small and large, including healthcare groups.

The Cybersecurity Framework includes standards, guidelines, and best standard practices and offers a flexible methodology to cybersecurity. There are several ways that the Framework can be utilized with satisfactory variety for customization. The Framework assists groups face different weaknesses and threats and matches different levels of risk tolerance.

The Framework was framed to be a living document that can be improved and updated over time as a response to opinion from users, changing best standard practices, new dangers, and progress in technology. The new type is the first important update to the framework since 2014 and the outcome of two years of growth.

NIST’s Matt Barrett, program manager for the Cybersecurity Framework, stated that the latest type “clarifies, refines and increases type 1.0.” While many modifications have been made in type 1.1, Barrett summarized, “It is still adaptable to meet an individual group’s business or mission requirements and applies to a wide variety of technology settings such as industrial control systems, information technology and the Internet of Things.”

Type 1.1 of the Cybersecurity Framework contains a variety of updates in reaction to remarks and opinion submitted in 2016 and 2017 from companies that have already applied the Framework.

Type 1.1 sees improvements to the plans on authorization, authentication and individuality proofing and an improved description of the connection between application levels and profiles. The Basis for Cyber Supply Chain Risk Administration has been majorly extended and there is a new segment on self-assessment of cybersecurity threat. The segment on exposure of vulnerabilities has also been extended with a new subsection added with regard to the weakness exposure lifecycle.

“Cybersecurity is vital for national as well as economic safety,” remarked Secretary of Commerce Wilbur Ross. “The unpaid NIST Cybersecurity Framework must be every business’s first line of security. Adopting type 1.1 is a must do for all CEOs.”

NIST is also aiming to issue a helping ‘Roadmap for Refining Critical Infrastructure Cybersecurity’ later in 2018 and will be holding a webinar later this month to collaborate the type 1.1 updates to the Framework.