New document offers updated guidance to companies looking to protect themselves.

NIST’s definition of cyber supply chain relationship includes an organization, its suppliers, partners and buyers. Source: NIST.

March 13, 2017

No Comments

In 2014, the National Institute of Standards and Technology (NIST) created the “Cybersecurity Framework,” a manual to help companies keep intruders out of their computer systems that manage critical infrastructure and/or intellectual property.

In 2013, President Obama issued an executive order, Improving Critical Infrastructure Cybersecurity, and called for the development of a Cybersecurity Framework. Purely voluntary, the non-industry-specific document was to provide a “prioritized, flexible, repeatable, performance-based and cost-effective approach” to manage cybersecurity risk for those processes, information and systems directly involved in the delivery of critical infrastructure services. The framework, developed in collaboration with industry, provides guidance to an organization managing cybersecurity risk.

Now NIST is updating the earlier version (1.0) and has published new draft guidance, “Framework for Improving Critical Infrastructure Cybersecurity Version 1.1.” This document incorporates feedback since the Version 1.0 release and integrates comments from the December 2015 Request for Information as well as comments from attendees at the Cybersecurity Framework Workshop in 2016.

What’s new in Version 1.1?

No company is an island today—so to speak. A manufacturer connects with its suppliers, partners and customers. Therefore, the primary concern in Version 1.1 is managing cyber supply chain risks, clarifying key terms and introducing new measurement methods for cybersecurity.

“We wrote this update to refine and enhance the original document and to make it easier to use,” says Matt Barrett, NIST’s program manager for the Cybersecurity Framework. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”

Cyber supply chain risk management is an organization-wide approach to risk that is enacted via enterprise risk management policies, processes and procedures. This likely includes a governance structure (e.g., risk council) that manages cyber supply chain risks in balance with other enterprise risks. Policies, processes and procedures are implemented consistently, as intended, and continuously monitored and reviewed. Personnel possess the knowledge and skills to perform their appointed cyber supply chain risk management responsibilities. An organization has formal agreements in place to communicate baseline requirements to its suppliers and partners.

In addition, the vocabulary of the new document has been designed to allow all users working on a project to understand cybersecurity needs. Examples of cyber supply chain risk management include a small business selecting a cloud service provider or a federal agency connecting with a system integrator to build an IT system. In the Identity Management and Access Control category, the draft clarifies and expands the definitions of the terms “authentication” and “authorization.” In addition, the related concept of “identity proofing” is defined.

Version 1.1 includes a new section on cybersecurity measurement, which discusses the correlation of business results to cybersecurity risk management metrics and measures. The new version adds a better explanation of the relationship between implementation tiers and profiles.

“Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion,” adds Barrett.

NIST would like to hear your comments on the new Version 1.1 by April 10, 2017. The draft guidance document, “Cybersecurity Framework Draft Version 1.1,” can be found at www.nist.gov/cyberframework/draft-version-11. Feedback and comments can be sent via email (cyberframework@nist.gov) no later than April 10, 2017.

More help with cybersecurity

With regard to cybersecurity threats to networks and facilities, Rockwell Automation has released an ebook entitled, “Industrial Security: Protecting networks and facilities against a fast-changing threat landscape.” The document presents a holistic approach to cybersecurity consisting of a security assessment, defense-in-depth (DiD) strategy and “trusted vendors.”

To read the ebook, visit Rockwell’s Industrial Security site.

You must login or register in order to post a comment.

Consumers are choosing products and brands they know and trust as they shop for food during the global pandemic. Any disruption to production could damage brand reputation, wreak havoc on throughput and disrupt the supply chain.

Poll

Production in 2021

View Results

Poll Archive

Products

Packaging Research in Food Product Design and Development

Packaging Research in Food Product Design and Development is the first book to comprehensively address the issues of graphics design and visual concepts, from a systematic, scientific viewpoint, yet with business applications in mind.

See More Products

Food Engineering

2020 December

In the December 2020 issue of Food Engineering, Pod Pack's Baton Rouge, La. facility is named a Fabulous Food Plant. Also in this issue, we present a recap of this year's FA&M Conference.

View More Create Account

NIST addresses cybersecurity for companies

New document offers updated guidance to companies looking to protect themselves.

What’s new in Version 1.1?

More help with cybersecurity

Related Articles

Related Events

Report Abusive Comment