NIST publishes updated draft of Cybersecurity Framework, seeks comment
The National Institute of Standards Technology published proposed updates to its Framework for improving Critical Infrastructure Cybersecurity, designed to provide guidance to healthcare organizations and other industries to reduce cybersecurity vulnerabilities.
The proposed updates include details for managing cyber supply risks, clarification of key terms and introduces cybersecurity measurement methods. It also incorporates feedback and comments from the December 2015 Request for Information and Cybersecurity Framework Workshop 2016 attendees.
The original framework was published in February 2014 after a collaboration of industry, academia and government agencies as directed by presidential executive order.
"We wrote this update to refine and enhance the original document and to make it easier to use," Matt Barrett, NIST's program manager for the Cybersecurity Framework, said in a statement. "This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation."
"In the update we introduce the notion of cybersecurity measurement to get the conversation started," he added. "Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion."
The updates are "relatively minor," officials said. However, the latest version expanded the section on communicating cybersecurity requirements with stakeholders to improve the understanding of cyber supply chain risk management.
Access control and identity management definitions were also updated to clarify authentication, authorization and identity proofing. The framework now includes the relationship between implementation tiers and profiles.
NIST is accepting comments on the latest version of the framework until April 10. It will also hold a public workshop on the updated version in the fall of 2017.