NIST updates cybersecurity framework
This week, the U.S. National Institute of Standards and Technology (NIST) published an update to its Cybersecurity Framework.
The Cybersecurity Framework emerged in February 2014 as a response to a Presidential Executive Order. The goal of the framework is to minimize risks to critical infrastructure in the United States, such as in the transportation, banking, water and energy sectors. The executive order directed NIST to work with stakeholders across the country to develop the voluntary framework based on existing cybersecurity standards, guidelines and best practices.
According to a statement from NIST, “the updated framework aims to further develop NIST’s voluntary guidance to organizations on reducing cybersecurity risks by providing new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity.”
NIST also notes that the draft update “incorporates feedback since the release of framework version 1.0, and integrates comments from the December 2015 Request for Information as well as comments from attendees at the Cybersecurity Framework Workshop 2016 held at the NIST campus in Gaithersburg, Maryland.”
Key refinements, clarifications, and enhancements in the updated draft include: a new section on cybersecurity measurement; greatly expanded explanation of using the framework to manage supply chain risk; refinements to better account for authentication, authorization, and identity proofing; along with a better explanation of the relationship between implementation tiers and profiles.
The framework was devised by NIST to provide a common language for understanding, managing, and expressing cybersecurity risk both internally and externally within organizations. According to NIST, an organization can use the framework to determine activities that are most important to critical service delivery and prioritize expenditures, in order to maximize the impact of the investment by using the framework as a cybersecurity risk management tool.
The Cybersecurity Framework is also designed to complement existing business and cybersecurity operations. It can serve as the foundation for a new cybersecurity program or a mechanism for improving an existing program. The Framework provides a means of expressing cybersecurity requirements to business partners and customers and can help identify gaps in an organization’s cybersecurity practices. It also provides a general set of considerations and processes for considering privacy and civil liberties implications in the context of a cybersecurity program.
It can also be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. It can be used to manage cybersecurity risk across entire organizations or it can be focused on the delivery of critical services within an organization.
The latest version of the Framework is available on the NIST Web site.
Previously reported, the U.S. National Institute of Standards and Technology (NIST) announced it will launch a new, ongoing “Face Recognition Vendor Test”, beginning in February 2017.