On 11 May 2017, President Donald Trump signed an executive order that provides guidance on strengthening the United States’ digital security. The directive makes clear that each head of a U.S. federal agency or government department is ultimately responsible for managing their organization’s risk. It also emphasizes their use of a specific document to fulfill that obligation:

Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk. Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order.

President Trump was wise to incorporate NIST’s Framework into his executive order. Originally published in 2014, the Framework is explicitly aimed at helping operators of U.S. critical infrastructure. Even so, plenty of private businesses now use the document’s five core digital security functions—Identify, Protect, Detect, Respond, and Recover—to mitigate the risk of ransomware and digital crime more generally on their networks as well as correlate their digital security metrics with their business objectives.

Since its publication, NIST has received lots of feedback from organizations and other parties on Version 1.0 of its Framework. It’s gathered these comments from online forums, workshops, and formal requests for information (RFIs) over several years. Now NIST has incorporated these viewpoints into a second draft for Version 1.1 of its Framework. It’s done so in the interest of meeting the demands of those that use the document to stay on top of the latest digital threats.

The updates NIST made in Version 1.1 of its Framework (PDF) boil down (Read more...)