The National Institute of Standards and Technology (NIST) issued a draft update on Tuesday to its Framework for Improving Critical Infrastructure Cybersecurity, aka the Cybersecurity Framework, aimed at forging stronger cybersecurity measures.
To assist organizations in reducing cybersecurity risk, NIST, a branch of the U.S. Department of Commerce which provides measurement standards, offered up a new draft to evolve its voluntary guidance on "managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity."
First issued in 2014, at the behest of an executive order, the Cybersecurity Framework's original intention was to develop a collaborative process – involving industry, academia and government agencies – to develop a voluntary framework to "help organizations manage cybersecurity risk in the nation's critical infrastructure, such as bridges and the electric power grid." Since then, the guidance has evolved and been adapted more broadly.
NIST claimed that the latest draft, Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, includes comments and suggestions from 2015 requests for comment as well as from attendees of a Cybersecurity Framework Workshop 2016.
"The national and economic security of the United States depends on the reliable functioning of critical infrastructure," the draft explained. "Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation's security, economy, and public safety and health at risk."
The new update to the Framework empowers organizations – large and small, regardless of degree of cybersecurity – to use the risk management guidance to strengthen the security and defense of critical infrastructure.
“We wrote this update to refine and enhance the original document and to make it easier to use,” said Matt Barrett, NIST's program manager for the Cybersecurity Framework. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”
One feature of the latest draft includes the creation of standardized terms so chain risk management collaborators can more easily coordinate cybersecurity efforts. The goal, NIST stated, was for small businesses to more efficiently choose cloud service providers and for a federal agency partnering with a system integrator to implement an IT system.
“In the update we introduce the notion of cybersecurity measurement to get the conversation started,” Barrett said. “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion,” he added.
Use of the Cybersecurity Framework is voluntary, Barrett told SC Media on Wednesday. "It is vital that organizations use a cybersecurity risk management approach that a) addresses a comprehensive breadth of cybersecurity concerns, b) balances cybersecurity operations with incident preparation activities, and c) seamlessly integrates with enterprise risk decisions which are broader than just cybersecurity."
The Cybersecurity Framework, he adds, meets all of these criteria, therefore it is recommended for consideration and use.
NIST said its Framework is a living document and further enhancements will continuously be amended.
The deadline to send comments is April 10. Comments should be sent to [email protected]. As well, an official said NIST will hold a public workshop following the comment period.
Depending on the volume of public comment, Barrett told SC that the next proposed update for the Cybersecurity Framework should be published in Fall 2017.