NIST releases updated cybersecurity framework
The National Institute of Standards and Technology on Monday released a much-anticipated update to its Cybersecurity Framework, which provides organizations with guidelines for implementing cybersecurity practices.
Updates in Version 1.1 include refreshed guidelines on authentication and identity; cyber risk self-assessments; managing supply chain cybersecurity; and vulnerability disclosure.
“This update refines, clarifies and enhances Version 1.0,” said Matt Barrett, program manager for the framework, in the release. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”
President Donald Trump issued an executive order in May 2017 directing all federal agencies to use the Cybersecurity Framework, including future versions, to manage cybersecurity risk. Beyond that, the framework also serves as reference point for the private sector.
“First, business leaders and policymakers view the Framework as a pillar for managing enterprise cyber risks and threats, including at home and increasingly abroad,” said Matthew Eggers, who runs cybersecurity policy at the U.S. Chamber of Commerce, in a statement. “…while the Framework was developed to improve the cybersecurity of critical infrastructure, it can be used by organizations in any sector or community.”
The standards agency has been developing Version 1.1 for more than two years, fielding public input and holding workshops to hear from stakeholders.
“From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry and academia. The impact of their work is evident in the widespread adoption of the framework by organizations across the United States, as well as internationally,” said Walter Copan, NIST director and undersecretary at the Department of Commerce.
NIST still has plans for this version of the framework. The agency plans to put out a companion document, the “Roadmap for Improving Critical Infrastructure Cybersecurity”, later this year to highlight key areas for further collaboration. It will also host a webinar to discuss the updated framework later this month.