In 2014, the National Institute of Standards and Technology (NIST) created the “Cybersecurity Framework,” a manual to help companies keep intruders out of their computer systems that manage critical infrastructure and/or intellectual property.
In 2013, President Obama issued an executive order, Improving Critical Infrastructure Cybersecurity, and called for the development of a Cybersecurity Framework. Purely voluntary, the non-industry-specific document was to provide a “prioritized, flexible, repeatable, performance-based and cost-effective approach” to manage cybersecurity risk for those processes, information and systems directly involved in the delivery of critical infrastructure services. The framework, developed in collaboration with industry, provides guidance to an organization managing cybersecurity risk.
Now NIST is updating the earlier version (1.0) and has published new draft guidance, “Framework for Improving Critical Infrastructure Cybersecurity Version 1.1.” This document incorporates feedback since the Version 1.0 release and integrates comments from the December 2015 Request for Information as well as comments from attendees at the Cybersecurity Framework Workshop in 2016.
What’s new in Version 1.1?
No company is an island today—so to speak. A manufacturer connects with its suppliers, partners and customers. Therefore, the primary concern in Version 1.1 is managing cyber supply chain risks, clarifying key terms and introducing new measurement methods for cybersecurity.
“We wrote this update to refine and enhance the original document and to make it easier to use,” says Matt Barrett, NIST’s program manager for the Cybersecurity Framework. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”
Cyber supply chain risk management is an organization-wide approach to risk that is enacted via enterprise risk management policies, processes and procedures. This likely includes a governance structure (e.g., risk council) that manages cyber supply chain risks in balance with other enterprise risks. Policies, processes and procedures are implemented consistently, as intended, and continuously monitored and reviewed. Personnel possess the knowledge and skills to perform their appointed cyber supply chain risk management responsibilities. An organization has formal agreements in place to communicate baseline requirements to its suppliers and partners.
In addition, the vocabulary of the new document has been designed to allow all users working on a project to understand cybersecurity needs. Examples of cyber supply chain risk management include a small business selecting a cloud service provider or a federal agency connecting with a system integrator to build an IT system. In the Identity Management and Access Control category, the draft clarifies and expands the definitions of the terms “authentication” and “authorization.” In addition, the related concept of “identity proofing” is defined.
Version 1.1 includes a new section on cybersecurity measurement, which discusses the correlation of business results to cybersecurity risk management metrics and measures. The new version adds a better explanation of the relationship between implementation tiers and profiles.
“Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion,” adds Barrett.
NIST would like to hear your comments on the new Version 1.1 by April 10, 2017. The draft guidance document, “Cybersecurity Framework Draft Version 1.1,” can be found at www.nist.gov/cyberframework/draft-version-11. Feedback and comments can be sent via email (cyberframework@nist.gov) no later than April 10, 2017.
More help with cybersecurity
With regard to cybersecurity threats to networks and facilities, Rockwell Automation has released an ebook entitled, “Industrial Security: Protecting networks and facilities against a fast-changing threat landscape.” The document presents a holistic approach to cybersecurity consisting of a security assessment, defense-in-depth (DiD) strategy and “trusted vendors.”
To read the ebook, visit Rockwell’s Industrial Security site.