The National Institute of Standards and Technology (NIST) released the second draft of the proposed update to its Framework for Improving Critical Infrastructure Cybersecurity. The new draft aims to clarify, refine, and enhance the framework as well as “amplifying its value and making it easier to use,” NIST officials said.
The new draft comes on the heels of a White House executive order issued last May that directed heads of executive agencies or departments to use the NIST framework to manage their agencies’ cybersecurity risk. It also made them accountable for managing cybersecurity risk to their enterprises and directed them to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources to support their risk- management efforts under the framework.
The draft update was developed to address feedback and frequently asked questions and is based on input received in hundreds of comments solicited by NIST and through two workshops.
The new draft clarifies the applicability of the framework to a range of technologies, minimally composed of information technology, operational technology, cyber-physical systems, and the Internet of Things. It also enhances guidance to help users better understand how to manage cybersecurity within supply chains and revises cybersecurity measurement language, summarizing its relevance and utility for organizational self-assessment.
In addition, the draft includes new sections on authorization, authentication, identity proofing, and vulnerability disclosures. One of the most important updates is the application of the framework to Cyber Supply-Chain Risk Management (SCRM), said Matt Barrett, program manager for the framework.
“Supply chain risk management is a part of enterprise considerations that is both affected by, and affects cybersecurity,” Barrett told MeriTalk. “The framework explanation of cyber SCRM will better enable organizations to determine their current status and desired state with regard to cyber supply-chain risk management practices.”
Barrett said that Federal users should also take note of the refined Section 4.0 of the draft, titled Self-Assessing Cybersecurity Risk with the Framework. “It emphasizes how organizations might use framework to measure their risk,” he said.
NIST has also issued a proposed update to its Roadmap for Improving Critical Infrastructure, a companion document that describes future activities concerning the framework and offers stakeholders an opportunity to actively participate in continuing to refine the framework. The roadmap is informed by public comments and “reflects ongoing work relating to the framework and, more broadly, to cybersecurity risk management,” NIST said.
Barrett said that NIST officially acknowledged measuring cybersecurity as an item on the roadmap to affirm NIST’s “intent to engage the stakeholder community in the broader dialogue around measurement and to work with stakeholders on which topics are good candidates for integration into future framework versions.”
He also explained that the new self-assessment section 4.0 in the framework and related topics in the roadmap are critical to aligning strategic, operational, and budgetary planning processes through the integrated teams of senior executives required by the White House’s executive order.
“Senior executives are increasingly asking questions about return on investment in cybersecurity, and cybersecurity professionals need to develop a thoughtful and accurate answer,” Barrett said. “NIST wants to help our stakeholders arrive at that more thoughtful and accurate answer. Relevant and appropriate portions of the stakeholder dialogue will enhance future versions of framework.”
Overall, “the strength of the NIST framework in making cybersecurity accessible to people who are not cybersecurity experts” is reflected in the White House’s executive order, Barrett added. “The framework accomplishes this through a common and accessible language.”
Public comments on the second draft of the cybersecurity framework and draft roadmap are due to NIST on Jan. 19, 2018. NIST expects to finalize the new framework in spring 2018, officials said.