New document offers updated guidance to companies looking to protect themselves.

NIST’s definition of cyber supply chain relationship includes an organization, its suppliers, partners and buyers. Source: NIST.

March 13, 2017

No Comments

In 2014, the National Institute of Standards and Technology (NIST) created the “Cybersecurity Framework,” a manual to help companies keep intruders out of their computer systems that manage critical infrastructure and/or intellectual property.

In 2013, President Obama issued an executive order, Improving Critical Infrastructure Cybersecurity, and called for the development of a Cybersecurity Framework. Purely voluntary, the non-industry-specific document was to provide a “prioritized, flexible, repeatable, performance-based and cost-effective approach” to manage cybersecurity risk for those processes, information and systems directly involved in the delivery of critical infrastructure services. The framework, developed in collaboration with industry, provides guidance to an organization managing cybersecurity risk.

Now NIST is updating the earlier version (1.0) and has published new draft guidance, “Framework for Improving Critical Infrastructure Cybersecurity Version 1.1.” This document incorporates feedback since the Version 1.0 release and integrates comments from the December 2015 Request for Information as well as comments from attendees at the Cybersecurity Framework Workshop in 2016.

What’s new in Version 1.1?

No company is an island today—so to speak. A manufacturer connects with its suppliers, partners and customers. Therefore, the primary concern in Version 1.1 is managing cyber supply chain risks, clarifying key terms and introducing new measurement methods for cybersecurity.

“We wrote this update to refine and enhance the original document and to make it easier to use,” says Matt Barrett, NIST’s program manager for the Cybersecurity Framework. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”

Cyber supply chain risk management is an organization-wide approach to risk that is enacted via enterprise risk management policies, processes and procedures. This likely includes a governance structure (e.g., risk council) that manages cyber supply chain risks in balance with other enterprise risks. Policies, processes and procedures are implemented consistently, as intended, and continuously monitored and reviewed. Personnel possess the knowledge and skills to perform their appointed cyber supply chain risk management responsibilities. An organization has formal agreements in place to communicate baseline requirements to its suppliers and partners.

In addition, the vocabulary of the new document has been designed to allow all users working on a project to understand cybersecurity needs. Examples of cyber supply chain risk management include a small business selecting a cloud service provider or a federal agency connecting with a system integrator to build an IT system. In the Identity Management and Access Control category, the draft clarifies and expands the definitions of the terms “authentication” and “authorization.” In addition, the related concept of “identity proofing” is defined.

Version 1.1 includes a new section on cybersecurity measurement, which discusses the correlation of business results to cybersecurity risk management metrics and measures. The new version adds a better explanation of the relationship between implementation tiers and profiles.

“Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion,” adds Barrett.

NIST would like to hear your comments on the new Version 1.1 by April 10, 2017. The draft guidance document, “Cybersecurity Framework Draft Version 1.1,” can be found at www.nist.gov/cyberframework/draft-version-11. Feedback and comments can be sent via email (cyberframework@nist.gov) no later than April 10, 2017.

More help with cybersecurity

With regard to cybersecurity threats to networks and facilities, Rockwell Automation has released an ebook entitled, “Industrial Security: Protecting networks and facilities against a fast-changing threat landscape.” The document presents a holistic approach to cybersecurity consisting of a security assessment, defense-in-depth (DiD) strategy and “trusted vendors.”

To read the ebook, visit Rockwell’s Industrial Security site.

You must login or register in order to post a comment.

Gain some clarity on the technologies to get your data working for you—whether you’re just looking to add more sensors and monitoring, or you’ve been crunching data for a while and want to move to a new level of efficiency.

Building an Industry 4.0 Vision to Ensure Food Safety and Reduce Food Waste

Without a doubt, the world is changing, intensifying the need for companies to be more digitally connected. For the food and beverage industry, the fourth industrial revolution gives rise to technologies that help increase productivity, improve food safety, reduce food and resource waste, and provide full supply chain transparency from farm to consumers.

Poll

COVID and Staffing

View Results

Poll Archive

Products

Packaging Research in Food Product Design and Development

Packaging Research in Food Product Design and Development is the first book to comprehensively address the issues of graphics design and visual concepts, from a systematic, scientific viewpoint, yet with business applications in mind.

See More Products

NIST addresses cybersecurity for companies

New document offers updated guidance to companies looking to protect themselves.

What’s new in Version 1.1?

More help with cybersecurity

Food Engineering

2020 September

NIST addresses cybersecurity for companies

New document offers updated guidance to companies looking to protect themselves.

What’s new in Version 1.1?

More help with cybersecurity

Related Articles

Related Events

Report Abusive Comment