Framework/standard updates coming

Well, it’s early 2018 and there are several information security framework/standards being updated:

  • NIST CSF v1.1.  The second draft was released at the end of 2017, and we just wrapped up the comment period on this.  I believe the plans are to review and hopefully come out with the final release in a few months.  Now I think we will also see another workshop held in conjunction with this, we just don’t know exactly when.
  •  NIST SP 800-53 and 800-37.  NIST is also working on updated for a couple of important documents in FISMA/RMF.  SP 800-53 is the controls, and has now been expanded to include privacy controls as well as security. SP 800-37 defines the Risk Management Framework, and should also have info on how the RMF can work with the CSF.  Now the plan was to come out with a second draft at the end of last year after they put out the discussion draft, but it looks like the schedule has slipped.  If you read on-line, it looks like they need to re-assess the amount of work needed.  I do expect we will see these done this year, but no idea when at this point.
  • CIS Critical Security Controls.  Better known as the “SANS Top 20”, the Critical Security Controls are now managed by the Center for Internet Security.  The current version is 6.1 and they are working on a v7.  I had seen stuff on their site last year about this, but it disappeared, so I thought the effort was dead.  Now they have a draft of v7 out with a short comment period (about to end).  It’s not clear when they expect the final version to come out but clearly will be this year

The only thing I am concerned is that both SP800-53 and the CSC are Informational References in the NIST CSF.  If they come out with new versions, will the Information References in the CSF be updated to these new versions?  I hope they will be.  Still awaiting the official PCI-CSF crosswalk to be made available.

As I learn more about these new updates, I’ll be blogging about them.

*** This is a Security Bloggers Network syndicated blog from Michael on Security authored by Michael Brown. Read the original post at: