The National Institute for Standards and Technology (NIST) has released an update to the draft of its cyber standards framework meeting industry requests for security self-assessment standards and directives for managing IT supply chain risks.

Version 1.1 of NIST’s Cybersecurity Framework was released Tuesday with revisions included from comments the agency solicited during a January public review process and a May industry workshop.iStock Cyber Lock

“This second draft update aims to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use,” NIST said in a statement following the release of the latest draft.

NIST published the first version of the framework in 2014, which is meant to provide IT industry with a policy framework for cyber security guidelines and methods to protect their critical infrastructure.  

The updated document adds a new section clarifying specific metrics for businesses to use in self-assessing their level of cyber resiliency.

“The better an organization is able to measure its risk, costs, and benefits of cyber security strategies and steps, the more rational, effective, and valuable its cyber security approach and investments will be,” the newly added section on self-assessing cyber risks said.

NIST reiterates businesses should be making IT choices based on how specific portions of their cyber security operations would be affected in varying implementation tiers. The framework directs industry to conduct reviews of its cyber risk management by re-examining its current implementation tiers.

The new version calls for businesses to develop “Target Profiles” to identify where security outcomes need to improve, and then determine how current cyber security procedures are hindering or helping reach those profiles.

NIST has also clarified the use of its framework for managing cyber security within supply chains.

The agency revised its section on “Communicating Cybersecurity Requirements with Stakeholders” to improve how users assess and mitigate associated risks with products or services that may potentially contain potentially malicious cyber threats.

The framework’s new Cyber Supply Chain Risk Management directives include determining cyber security requirements with suppliers, enacting those requirements through formal contracts and communicating with vendors on how risk assessments will be verified and validated.

Industry officials are offering support for the revisions included in the updated framework.

Larry Clinton, CEO of the IT industry trade association the Internet Security Alliance, believes the original document was mostly a reorganization of existing standards and the new version meets NIST’s original goal for providing industry guidance.

“The 1.1 version of the NIST Framework may prove to be more impactful that the original version released in 2013,” Clinton said in a statement. “To begin with, the new draft makes it clear that our goal is not some undefined metric for use of the Framework, but for effective use of the Framework. Moreover, this use-metric needs to be tied not to some generic standard, but to be calibrated to the unique threat picture, risk appetite and business objective of a particular organization. Indeed, the new draft makes clear that adaptation of the NIST [Cybersecurity Framework]  to some generic compliance regime was never intended and is, in fact, inappropriate.”

NIST is accepting comments on the new draft through Jan. 19, and is aiming for a Spring 2018 deadline to finalize its Cybersecurity Framework.