The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) allows organizations to prioritize cybersecurity resources and help them make risk-related decisions. Using the NIST CSF, businesses can identify, assess, and take actions to reduce cyber risk while enhancing communication within their organization and with partners, suppliers, and regulators.
A History of the NIST CSF
The first NIST Cybersecurity Framework, Version 1.0, was published in February 2014, after a year in development. Created by a collaboration of industry, academic, and government stakeholders, the first version of the CSF primarily targeted organizations that are part of the United States’ critical infrastructure.
An Executive Order to Reduce Cyber Risk
In February 2013, a Presidential Order instructed the Secretary of Commerce to “lead the development of a framework to reduce cyber risks to critical U.S. infrastructure. “There would be “a set of standards, methodologies, procedures, and processes that would align policy, business, and technological approaches to address cyber risks.” The result was the NIST Cyber Security Framework v1.0., introduced in February 2014.
The rationale was to create a set of practices, standards, and industry guidelines to help organizations tied to the nation’s financial, energy, healthcare, and other critical industry sectors better protect their information and physical assets from cyber-attacks. The CSF incorporated voluntary consensus standards and industry best practices consistent with voluntary international standards.
Built using three layers - the Framework Core, Framework Implementation Tiers, and Profiles - the CSF (formally known as the Framework for Improving Critical Infrastructure Cybersecurity) was most remarkable for its outcomes-based approach to cybersecurity risk management.
In 2015, the Cybersecurity Framework was updated, and in December 2017, NIST released the second draft of Framework v1.1. The new profile was meant to consider public and private sector feedback received by NIST since v1.0 was published to improve cybersecurity standards and industry guidelines. This included hundreds of written comments and conversations with over 1,000 participants at the 2016 and 2017 annual workshops, where CyberSaint’s Founder was also in attendance providing feedback on the CSF. Two drafts of version 1.1 were also circulated for public comments.
What’s In NIST Cybersecurity Framework Version 1.1?
Four years after Framework v1.0 was introduced, NIST released v1.1. The new goal was for Framework v1.1 to not only be flexible enough to be adopted by federal agencies and state and local governments but by large and small companies and organizations across all industry sectors.
The update replaced current cybersecurity standards. It clarified, refined, and enhanced the Framework - increasing its value and making it easier for even more organizations to use it in managing their cybersecurity risk. The NIST Cybersecurity Framework v1.1 is consistent with and builds upon v1.0, and it remains flexible, voluntary, and cost-effective.
Summary of NIST CSF V 1.1
- Broader Applicability: The Cybersecurity Framework declares its applicability for IT, OT, cyber-physical systems, and IoT.
- Emphasis on Supply Chain: There is enhanced guidance for applying the CSF to vendor risk management and supply chain risk management.
- Access Control Category Nomenclature: The Access Control Category has been renamed Identity Management and Access Control, to better account for authentication, authorization, and identity-proofing.
- Updates to Informative References: The new version administratively updates the Informative References.
- Terminology Clarification: The term “utility” is clarified as a structure and language for organizing and expressing compliance with an organization’s cybersecurity requirements.
- Risk Assessment Guidelines: A new section explains how the CSF can be used to understand and assess cybersecurity risk, especially for self-assessment, making comparing current to past conditions easier.
- New Subcategories: A subcategory related to the vulnerability disclosure lifecycle has been added.
- Purchasing Guidance: A new section focuses on understanding the risk that comes with commercial, off-the-shelf products and services.
- Risk Added to Implementation Tiers: Further risk-management criteria were added to the Implementation Tiers.
Also, NIST released an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment, and collaboration.
The Framework Updating Process Continues
Designed to be relevant for every size, sector, and type of organization, NIST’s latest Cybersecurity Framework draft has evolved to become more informative, practical, and inclusive of government and private organizations.
“The release of the Cybersecurity Framework 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Walter Copan, NIST director.
The NIST also continues to support the development of voluntary, industry-led cybersecurity standards and best practices. The framework update process is now published on the Cybersecurity Framework website to ensure everyone involved understands how future updates are made.
The NIST CSF has been updated since the publication of this article. NIST CSF 2.0 includes a new core function, 'Govern,' renewed emphases on supply chain risk management, widespread applicability beyond critical infrastructure, and new information reference for implementation.