NIST Publishes Draft 2 of Cybersecurity Framework Version 1.1
On December 5, 2017, the National Institute for Standards and Technology (“NIST”) published Draft 2 of Cybersecurity Framework version 1.1 (the “Framework”). The draft is intended to provide a flexible, voluntary, and effective tool to help organizations better manage their cybersecurity risks.
For those unfamiliar with the Framework, it was developed in response to growing awareness that the national and economic security of the United States depends on the reliable functioning of critical information technology infrastructure and that cybersecurity threats place the nation at risk. On February 12, 2013, President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” (the “Order”), which calls for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks. In accordance with the Order, NIST employed a collaborative process with private and public stakeholders to create the Cybersecurity Framework, releasing version 1.0 in February 2014. The Cybersecurity Enhancement Act of 2014 (“CEA”) formalized NIST’s previous work of developing Framework version 1.0 in response to the Order and provided guidance for future Framework evolution. With the input of solicited public comment, NIST published an initial draft version of Framework version 1.1 in January 2017, and with the input of further comment, NIST published Draft 2 Framework version 1.1 in December 2017.
Draft 2 of version 1.1 emphasizes flexible ways to address cybersecurity and that the Framework is applicable to any organization relying on technology whether the cybersecurity focus is on information technology, industrial control systems, cyber-physical systems, or connected devices more generally, including the Internet of Things.
Draft 2 also emphasizes the:
- Correlation of business results to cybersecurity risk management, highlighting the role of measurements in self-assessment of cybersecurity risk;
- Clarification of the use of the Framework to manage cybersecurity within supply chains; and
- Refinements to better account for authorization, authentication, and identity proofing.
A note of general interest to those new to the Framework is that the Federal government is aware of threats to civil liberties and individual privacy in developing it. Executive Order 13636 requires that the Framework include a methodology to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities. While processes and existing needs will differ, the Framework can assist organizations in incorporating privacy and civil liberties as part of a comprehensive cybersecurity program.
A copy of Draft 2 of Version 1.1 may be found on the NIST website.