They have released a draft of this update for comments.
At that page you can read the draft in a couple of different versions.
What has been added/updated?
They added more stuff regarding supply chain. They did a few tweaks on the Core. I had hoped they would have gotten rid of the Implementation Tiers, but instead of dumping it or major work they did some tweaks to it. And there is a new section on metrics and measurement.
I was disappointed they didn’t update the Critical Security Controls references. They are still listing v5, which is no longer valid and the group that managed it is no more. However, they note they are still updating all the Information References, so hopefully that is just something that is in progress and will appeared in the released version.
I had hoped that the HIPAA crosswalk that was done would be incorporated into the document, at least as an appendix. And I think the should add a PCI DSS crosswalk. Am told it exists, and think it would be good to include it. Again, maybe this will be including in the final version.
Am debating if I should put together a talk on this proposed draft for upcoming conferences.
This is a Security Bloggers Network syndicated blog post authored by Michael R. Brown. Read the original post at: Michael on Security