NIST refines Cybersecurity Framework
- By Sara Friedman
- Apr 27, 2018
As a first line of defense, the National Institute of Standards and Technology’s Cybersecurity Framework helps federal, state and local governments -- as well as organizations across all industry sectors -- manage cybersecurity-related risk.
Version 1.1 is an update to the original released in February 2014 and is meant to serve as a living document where changes can be made as cyber environments and risks shift.
The two versions are fully compatible. The additions, including new categories and subcategories, do not invalidate uses or work products in the first version of the Framework. “We didn’t want to change the framework substantially so the two frameworks could work with each other,” NIST Cybersecurity Framework Program Manager Matt Barrett said during an April 27 webinar on the Framework update.
The changes to the framework are based on feedback collected through public calls for comments, questions received by team members and workshops held in 2016 and 2017.
Changes include adding a new category for managing supply chain risk, that includes an assessment process for commercial off-the-shelf IT products and services.
Eight subcategories were added, and language was refined in several places, such as clarifying what “compliance” means for various stakeholders. A new section on self-assessment for cybersecurity risk was added, and the access control category has also been changed to better account for authentication, authorization and identity proofing.
In addition, information has been added to implementation tiers and profiles to reflect considerations within an organization’s risk management program. Another subcategory has also been added to address coordinated vulnerability disclosure.
Read Version 1.1 of the Framework here.
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at email@example.com or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.