Newest version addresses online supply chain risk management and use of metrics

Last month, the National Institute of Standards and Technology issued a new update to its Framework for Improving Critical Infrastructure Cybersecurity. The cybersecurity framework is used by many organizations for assessing and improving their systems to prevent, detect, and respond to cyber-attacks. While it was first intended as a framework for protecting critical infrastructure such as the electrical grid and roads and bridges, many companies have adopted it as a blueprint for managing cybersecurity risks.

The updated framework provides new details on managing online supply chain risks and also clarifies some additional terms and measurement methods for cybersecurity. According to NIST, a unit of the Commerce Department that promotes industry measurement standards, the updated framework "aims to further develop NIST's voluntary guidance to organizations on reducing cybersecurity risks."

NIST doesn't expect the update to the framework, which is a common tool for IT auditors, to be onerous for users to adopt. "Current users can implement version 1.1 with minimal or no disruption, as refinements were made with the objective of being compatible with Version 1.0," it states in the opening to the updated version.

The Cybersecurity Framework was first published in February 2014 at the urging of President Obama and reflects a collaborative process involving industry, academics, and government agencies. It is divided into three parts, core, profile, and tiers, which detail suggested approaches to different aspects of cybersecurity.

The update, known as the NIST Cybersecurity Framework, 1.1, incorporates feedback from users and cybersecurity experts since it was first developed. "We wrote this update to refine and enhance the original document and to make it easier to use," said Matt Barrett, NIST's program manager for the Cybersecurity Framework. "This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation," he says.

The Cyber Supply Chain
The biggest change is to add a section on online supply chain risk management (SCRM). The draft update states that a "primary objective of cyber SCRM is to identify, assess, and mitigate 'products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain." Cyber SCRM encompasses cybersecurity throughout the entire supply chain from vendors, suppliers, and IT partners.

To assist users wanting to apply the framework to online supply-chain risk management, the authors developed a vocabulary so all organizations working together on a project can clearly understand cybersecurity needs. Examples of cyber supply chain risk management include a small business selecting a cloud service provider or a federal agency contracting with a system integrator to build an IT system.

In the renamed and revised "Identity Management and Access Control" category, the draft clarifies and expands the definitions of the terms "authentication" and "authorization." Authors also added and defined the related concept of "identity proofing."

NIST-Framework-ReworkIn the draft update, NIST also addresses the use metrics to measure the business impact of using the framework's standards. "In the update we introduce the notion of cybersecurity measurement to get the conversation started," Barrett said. "Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion," he added.

Five Core Functions of the Framework
The five core functions of the framework have not changed. As explained by NIST, "the core functions are not intended to form a serial path, or lead to a static desired end state. Rather, the functions can be performed continuously to form an operational culture that addresses the dynamic cybersecurity risk."

Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.

NIST is seeking public comment on this draft Framework Version 1.1, regarding the following questions:

  • Are there any topics not addressed in the draft Framework Version 1.1 that could be addressed in the final?
  • How do the changes made in the draft Version 1.1 impact the cybersecurity ecosystem?
  • For those using Version 1.0, would the proposed changes impact your current use of the Framework? If so, how?
  • For those not currently using Version 1.0, does the draft Version 1.1 affect your decision to use the Framework? If so, how?
  • Does this proposed update adequately reflect advances made in the Roadmap areas?
  • Is there a better label than "version 1.1" for this update?
  • Based on this update, activities in Roadmap areas, and activities in the cybersecurity ecosystem, are there additional areas that should be added to the Roadmap? Are there any areas that should be removed from the Roadmap?

The deadline to send comments on the draft Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 is April 10, 2017. Comments can be sent to