The Cybersecurity Framework was originally published in February 2014, and due to the Cybersecurity Enhancement Act of 2014, NIST must continue to work on the Framework. The updated version provides new details on managing cyber supply chain risks, clarifies key terms, and introduces measurement methods for cybersecurity.
“We wrote this update to refine and enhance the original document and to make it easier to use,” said Matt Barrett, NIST’s program manager for the Cybersecurity Framework. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”
Version 1.1 includes a new section on cybersecurity measurement, an expanded explanation of using the Framework for cyber supply chain risk management purposes, refinements to better account for authentication, authorization, and identity proofing, and more.
“In the update we introduce the notion of cybersecurity measurement to get the conversation started,” Barrett said. “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.”
NIST plans on publishing a final Framework Version 1.1 around fall 2017.