On January 10, the National Institute of Standards and Technology (NIST) released the long-awaited draft of the Cybersecurity Framework (CSF), draft version 1.1.
Since its initial release, the CSF has gained remarkable recognition in both the public and private sectors as a shared foundation for cybersecurity risk management. The CSF is comprised of three component parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. The Framework Core is comprised of five Functions: Identify, Protect, Detect, Respond, and Recover. Each function is further divided into Categories, Subcategories, and Informative References. The Framework Implementation Tiers and Framework Profiles are tools that help organizations tailor their application of the Framework Core to their particular business model or sector.
The revisions in CSF draft version 1.1 focus on four key areas:
- Framework Tiers
CSF draft version 1.1 clarifies the relationship between the Framework Implementation Tiers and the Framework Profiles. Specifically, CSF draft version 1.1 highlights how an organization can use Framework Tiers during implementation of the Framework. The Framework Tiers put an organization's cybersecurity practices in context within the greater cyber-ecosystem. This context helps organizations to improve their approach to cybersecurity risk management by allowing them to assess their position relative to other stakeholders.
- Supply Chain Risk Management (SCRM)
In recent years, sensitivity to the security of organizational supply chains has become an area of increasing concern across most industry sectors, as the risk introduced through technical and process dependencies becomes better understood.
To help improve the security of organizational supply chains, NIST has taken several steps in the CSF: adding a SCRM Category to the Framework Core; making several revisions and additions at the sub-category level across multiple categories; and adding SCRM as a criteria in the Implementation Tiers
- Access Control Category
CSF draft version 1.1 modifies the Access Control Category, which falls within the Protect Function. The modified Access Control Category now encompasses authentication, authorization, and identity proofing. Accordingly, the Access Control Category was renamed "Identity Management and Access Control" (PR.AC) in CSF draft version 1.1. The Category was renamed to provide a more accurate characterization of the scope of the Category and Subcategories. To further support the refined Access Control Category, CSF draft version 1.1 includes an additional Subcategory that specifically addresses identity proofing.
NIST is taking the first steps at providing guidance on how to develop metrics and measurement for organizations using the Framework. CSF draft version 1.1 includes a section titled "Measuring and Demonstrating Cybersecurity," which explains the relationship between business objectives and cybersecurity risk management metrics and measures. The updated framework draft also provides a summary of metrics and measures as they relate to the CSF.
The period for submitting comments and feedback to NIST on CSF draft version 1.1 will conclude on April 10, 2017. Following the comment period, NIST will convene a workshop for interested stakeholders to discuss CSF draft version 1.1. NIST stated that it plans to publish the final CSF version 1.1 around the fall of 2017.