The updates NIST made in Version 1.1 of its Framework (PDF) boil down to five major revisions. These are as follows:
1. Amendments to Digital Security Risk Management LanguageIn an effort to emphasize the correlation of business results and digital security risk management, NIST added Section 4.0 "Self-Assessing Cybersecurity Risk with the Framework." The Section explores the value of self-assessment and measurement when it comes to organizations security-related investments. As such, it provides some basic guidance on how organizations can best incorporate measurements into the Framework process:
Organizations should be thoughtful, creative, and careful about the ways in which they employ measurements to optimize use, while avoiding reliance on artificial indicators of current state and progress in improving cybersecurity risk management. Any time measurements are employed as part of the Framework process, organizations are encouraged to clearly identify and know why these measurements are important and how they will contribute to the overall management of cybersecurity risk. They also should be clear about the limitations of measurements that are used.The Section ends by encouraging organizations to innovate new measurements and incorporate them into their application of the Framework "with a full appreciation of their usefulness and limitations."
2. Alterations to an Explanation of How the Framework Can Help Manage Digital Security within the Supply ChainNIST, which has also published guidance on how companies can recover from data corruption events, made a second major revision by adding the concept of supply chain risk management (SCRM) to Section 3.3 "Communicating Cybersecurity Requirements with Stakeholders." This revision discusses how supply chains factor into critical stakeholder communication and of what SCRM broadly consists. It also identifies a main purpose of SCRM:
A primary objective of cyber SCRM is to identify, assess, and mitigate "products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain."The Section also now includes the following infographic that depicts the relationships connecting the technology supplier, technology buyer, non-tech supplier, non-tech buyer, and organization within a digital security supply chain.
3. Better Accounting of AuthenticationTo emphasize the importance of authentication, NIST added a Subcategory to Protect -- Identity Management and Access Control (PR.AC) Category. This Subcategory reads as follows:
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).
4. Consideration of Coordinated Vulnerability DisclosureIn addition to authentication, NIST created a Subcategory for coordinated vulnerability disclosure in the Response -- Analysis (RS.AN) Category that reads thusly:
RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers).
5. Excision of the Federal Alignment SectionLast but not least, NIST removed a section on aligning the Framework to federal networks. It made this decision following the publication of President Trump's digital security executive order, a document which along with other memoranda and guidance remove the need for federal applicability statements within the actual Framework publication.
A Framework for the FutureMatt Barrett, NIST's lead on the Framework, feels the revised document can help federal and private organizations strengthen their digital security for years to come. As quoted in an interview conducted with Jai Vijayan of Dark Reading:
Given the increasing dependence of organizations on technology, digital trust is an increasingly important topic. In other words, not only does an organization need to manage their cybersecurity risk, but they also need to communicate it in various forms to suppliers, partners, customers, auditors, and regulators. [The] Framework provides a basis for a standardized communication – increasing and organizations efficiency and reducing the chances of miscommunication – and it also provides the high-level methods of determining cybersecurity state, deciding desired state, and planning the improvements necessary to achieve the desired state.At this time, NIST is currently seeking feedback on whether the revised document reflects the current digital security landscape. It's also looking to see how the changes might affect those who currently use the Framework as well as the likelihood that those who currently don't use the Framework might decide to adopt it. Towards that end, feedback and comments should be directed to [email protected]. NIST will then review those public comments and use them to publish a final Framework Version 1.1 in early 2018. In the meantime, learn how Tripwire can help your organization keep up with NIST's ever-changing Framework compliance standards by clicking here.