It’s been a long time coming. The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) recently released version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity, or affectionatey called the Cybersecurity Framework.The initial framework was created to help organizations that operate critical infrastructure better secure their digital assets. These industries include energy, banking, communications and the defense industrial base. However, organizations outside of the critical infrastructure industries have turned to the Cybersecurity Framework for guidance when it comes to securing their systems and data.
Version 1.1, the first update since February 2014, includes updates to authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure.
The changes, according to NIST, are based on feedback collected through public calls for comments, questions received by team members, and workshops held in 2016 and 2017. Two drafts of Version 1.1 were circulated for public comment to help NIST comprehensively address all of these inputs.
“The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Walter G. Copan, Under Secretary of Commerce for Standards and Technology and NIST Director. “From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry and academia. The impact of their work is evident in the widespread adoption of the framework by organizations across the United States, as well as internationally.”
Matt Barrett, program manager for the Cybersecurity Framework, said “this update refines, clarifies and enhances Version 1.0. It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments, such as information technology, industrial control systems and the Internet of Things.”
The framework update process is now published on the Cybersecurity Framework website. Later this year NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which will describe key areas of development, alignment and collaboration.
“Engagement and collaboration will continue to be essential to the framework’s success,” said Barrett. “The Cybersecurity Framework will need to evolve as threats, technologies and industries evolve. With this update, we’ve demonstrated that we have a good process in place for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk.”
“Cybersecurity is critical for national and economic security,” said Secretary of Commerce Wilbur Ross. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEO’s.”