Four years after the releasing a voluntary guide to best practices and standards for strengthening the cyber security posture of public and private organizations, the National Institute of Standards and Technology (NIST) on Monday released an updated version of the Cybersecurity Framework that includes updates related to authentication, supply chain security, self-assessment and vulnerability disclosure.
“Cybersecurity is critical for national and economic security,” Secretary of Commerce Wilbur Ross said in a statement accompanying release of Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adoption version 1.1 is a must do for all CEOs.”
The first version of the framework was released in Feb. 2014 and, like the latest iteration, was a collaborative effort between the public and private sectors to help guide entities and their leaders in mitigating cyber security risks. Updates to Version 1.1 are based on feedback from the public and workshops held in 2016 and 2017.
“This update refines, clarifies and enhances Version 1.0,” Matt Barrett, program manager for the framework, said in a statement. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”
The framework is an organic document that is meant to be flexible enough for wide scale adoption and evolve over time. The Trump administration in May 2017 directed that federal agencies adopt the framework.
The 55-page document includes six key updates from the initial version. It includes a section on how the framework can be used to understand and self-assess organizational risk. It also refines language to better account for authentication, authorization and identity proofing related to access control of networks.
Version 1.1 also is aimed at helping organizations better understand the risks associated with buying commercial off-the-shelf products and services and with understanding cyber supply chain risk management.
Rep. Jim Langevin (D-R.I.), co-chair of the Congressional Cybersecurity Caucus, in a statement endorsed the updated framework although he said it needs to “provide more concrete guidance on ways to quantify risk.”