Four years after the initial iteration was released, the National Institute of Standards and Technology (NIST) has released version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity.
The framework was developed to be a voluntary, risk-based framework to improve cybersecurity for critical infrastructure in the United States. It’s the result of a President Obama-issued executive order calling for the development of a set of standards, guidelines and practices to help organizations charged with providing the nation’s financial, energy, health care and other critical systems better protect their information and physical assets from cyberattack. 
Like the first version, Version 1.1 of the framework was created through public-private collaboration via a series of recommendations, drafts and comment periods. Changes to Version 1.1 includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain and vulnerability disclosure, among other changes.
For one, the update has renamed the Access Control Category to Identity Management and Access Control, to better account for authentication, authorization and identity-proofing.
It also has added a new section: Section 4.0 Self-Assessing Cybersecurity Risk with the Framework explains how the framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements.
On the supply-chain front, an expanded Section 3.3 helps users better understand risk management in this arena, while a new section (3.4) focuses on buying decisions and the use of the framework in understanding risk associated with commercial off-the-shelf products and services. Additional risk-management criteria were added to the Implementation Tiers for the framework; and a supply-chain risk-management category has been added to the Framework Core.
Other updates include a better explanation of the relationship between Implementation Tiers and Profiles; added clarity around the term “compliance,” given the variety of ways in which the framework can be used by an organization; and the addition of a subcategory related to the vulnerability disclosure lifecycle.
“This update refines, clarifies and enhances Version 1.0,” said Matt Barrett, program manager for the Cybersecurity Framework. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things (IoT).”
Its goal is to be flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state and local governments.
“The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Walter Copan, NIST director. “From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry and academia.”
So far, adoption of the framework has been fairly widespread: PwC’s 2018 Global State of Information Security Survey (GSISS) for instance found that respondents from healthcare payer and provider organizations, as well as oil and gas companies, said the NIST Cybersecurity Framework is the most commonly adopted set information security standards in their respective industries. The report also found that financial institution clients were widely embracing benchmarking of their cyber risk management programs against the NIST Cybersecurity Framework.
“Cybersecurity is critical for national and economic security,” said Secretary of Commerce Wilbur Ross. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEOs.”
Efforts to expand its influence are continuing: In May 2017, President Trump issued the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which directs all federal agencies to use the Cybersecurity Framework. Also, corporations, organizations and countries around the world, including Italy, Israel and Uruguay, have adopted the framework, or their own adaptation of it, NIST noted.
Meanwhile, to help ease the process of adoption, the Information Security Forum (ISF) has mapped the framework and its annual Standard of Good Practice for IT security professionals. Last year, IT governance organization ISACA launched an audit program aligning the NIST framework with COBIT 5, designed to provide management with an assessment of the effectiveness of an organization’s plans to detect and identify cyber-threats, and protect against them.
“We’re looking forward to reaching more industries, supporting federal agencies, and especially helping more small businesses across the U.S. benefit from the framework,” said Barrett.
Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment and collaboration.
“Engagement and collaboration will continue to be essential to the framework’s success,” said Barrett. “The Cybersecurity Framework will need to evolve as threats, technologies and industries evolve. With this update, we’ve demonstrated that we have a good process in place for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk.”
