News on NIST CSF v1.1

I’ve previously posted on the NIST Cybersecurity Framework (NIST CSF) and the recent work to update it to v1.1.  I had attended the recent workshop held at NIST headquarters following the released of the Draft v1.1 and comments.  And I’ve been awaiting their report on the Workshop and a better idea as to what are the next steps.

Well, just before “Hacker Summer Camp” they released their summary and I missed it.  You can read it HERE.


At 20 pages, its pretty readable.  Overall for me not a big surprise in terms of the summary, tho there are interesting items of information.  Here are a few:

* Some feel that to make the CSF be more widely used, let’s drop the cumbersome name of “Framework for Improving Critical Infrastructure Cybersecurity” and just call it “The Cybersecurity Framework”.  I would agree.

* I missed the session on “confidence mechanisms”.   Probably because the term makes no sense to me.  Basically they mean some assessment methodology.  Which as a security consultant I look for.  I would like to learn more about some of the working that they mention from other groups (BSI, ISACA, CMMI).  Am aware of the ISACA one, since I’m a member.  Will keep an eye out for the rest.

* The future of informational references is important to me, as I find them vitally useful in the work I do.  I don’t want them to go away.  The idea of having the various groups who have standard make the mappings available is a good one, I just wish they’d hurry up.  (where is the PCI-DSS one, which I’m told is done, they just need to hash whatever it is between NIST & PCI to make it available).

* Measurement & metrics is also important to me.  This session was interesting.  It looks like the idea now is to work out a separate work to cover this rather then trying to cram it into the final v1.1.

Ok, so what about next steps.  Here are some of the highlights to that.

We will be getting a second draft of v1.1 this Fall (instead of the final version).  This will follow a 30 day comment period, and yes, there will be a report put together after that, as had been done prior.

The plan, at this point, is to release the final v1.1 in 2018.  When?  Don’t know.

Now, when they released the CSF, they also released a Roadmap document.  This document will also be updated when the next draft is out for feedback.  This roadmap will include topics that were viewed as “too big” for the CSF document itself, which to me says we will see them as separate documents.  The topics are items like measurement/metrics, assessment models (conformity assessment now to be confidence mechanisms), small business info, and CSF crosswalk relationships to other standards like ISO 27001.

There are some other areas of focus that is going to continue.  These include on small businesses, and what they have sounds interesting.

Also there will be discussion to work with ANSI and thus ISO/IEC in regards to the 27000 series, ideally leading to a larger mapping of the NIST CSF to all the 27000 series.

Federal work with the NIST CSF continues.  NIST is working on an update of SP800-37, which covers the Risk Management Framework, the heart of FISMA.  This new update will better make clear the relationship between RMF and the CSF.  No date is mentioned for this.  And I know they are working on the next version of SP800-53, which are the controls in FISMA.  But I have no idea when this will come out, and no mention was made of that here.  Hmmmm.

Workshops will continue, and they want to encourage the use of “program” specific groups to work within the context of the larger Workshops, as was done at the last one with the Financial Services and Communication Sectors have sessions.  Will we see a Workshop in early 2018 following the feedback period on the second draft?  No idea.

If you have an interest in the CSF and its future, get this Summary and read it.  Especially take note of section 5.4 on recommended actions.

This is a Security Bloggers Network syndicated blog post authored by Michael R. Brown. Read the original post at: Michael on Security