Date Published: December 5, 2017
Comments Due:
Email Questions to:
Author(s)
National Institute of Standards and Technology
Announcement
Background
On December 5, 2017 NIST published the second draft of the proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (a.k.a., draft 2 of Cybersecurity Framework version 1.1). This second draft update aims to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use. The new draft reflects comments received to date, including those from a public review process launched in January 2017 and a workshop in May 2017.
Summary of Document Updates
Like Version 1.0 issued in February 2014, the proposed updates are the result of extensive consultation with the private and public sectors. This draft is intended to provide a flexible, voluntary, and effective tool to help organizations better manage their cybersecurity risks. Like the earlier proposed update, this draft is fully compatible with Version 1.0 and can be used as the basis for communication between organizations. The update:
- Declares applicability of Cybersecurity Framework for "technology," which is minimally composed of Information Technology, operational technology, cyber-physical systems, and Internet of Things;
- Enhances guidance for applying the Cybersecurity Framework to supply chain risk management;
- Summarizes the relevance and utility of Cybersecurity Framework measurement for organizational self-assessment;
- Better accounts for authorization, authentication, and identity proofing; and
- Administratively updates the Informative References.
NIST also issued a proposed update to the Roadmap for Improving Critical Infrastructure Cybersecurity. This document is informed by public comments and reflects ongoing and planned work relating to the Cybersecurity Framework and cybersecurity risk management more broadly. The Roadmap:
- Describes future activities related to the Cybersecurity Framework and offers stakeholders another opportunity to participate actively in the continuing Cybersecurity Framework development process.
- Includes new topics of focus since the initial Roadmap version, including: the cyber-attack lifecycle, measuring cybersecurity, governance and enterprise risk management, referencing techniques for informative references, and small businesses awareness and resources.
Public Comment Period
The comment period ends Friday, January 19, 2018. NIST anticipates finalizing Cybersecurity Framework v1.1 in Spring 2018. More information can be found at the Cybersecurity Framework site.
The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats take advantage of the increased complexity and connectivity of critical infrastructure systems, placing the Nation's security at risk. To better protect these systems, the President issued Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," on February 12, 2013. The Executive Order established that "[i]t is the Policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties." In enacting this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework - a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. The Framework enables organizations - regardless of size, degree of cybersecurity risk, or cybersecurity sophistication - to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework provides organization and structure to today's multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today. Moreover, because it references globally recognized standards for cybersecurity, the Framework can also be used by organizations located outside the United States and can serve as a model for international cooperation on strengthening critical infrastructure cybersecurity.
The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats take advantage of the increased complexity and connectivity of critical infrastructure systems, placing the Nation's security at risk. To better protect these...
See full abstract
The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats take advantage of the increased complexity and connectivity of critical infrastructure systems, placing the Nation's security at risk. To better protect these systems, the President issued Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," on February 12, 2013. The Executive Order established that "[i]t is the Policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties." In enacting this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework - a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. The Framework enables organizations - regardless of size, degree of cybersecurity risk, or cybersecurity sophistication - to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework provides organization and structure to today's multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today. Moreover, because it references globally recognized standards for cybersecurity, the Framework can also be used by organizations located outside the United States and can serve as a model for international cooperation on strengthening critical infrastructure cybersecurity.
Hide full abstract
Keywords
critical infrastructure; cybersecurity; Executive Order 13636; framework; security
Control Families
Access Control; Awareness and Training; Audit and Accountability; Assessment, Authorization and Monitoring; Configuration Management; Contingency Planning; Identification and Authentication; Incident Response; Maintenance; Media Protection; Physical and Environmental Protection; Planning; Program Management; Personnel Security; Risk Assessment; System and Services Acquisition; System and Communications Protection; System and Information Integrity