NIST Framework for Critical Infrastructure Cybersecurity

Four years after the initial iteration was released, the National Institute of Standards and Technology (NIST) released version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity.

The framework was initially developed to be a voluntary, risk-based framework to improve cybersecurity for critical infrastructure in the United States. It’s the result of an Executive Order 13636 issued by President Obama calling for the development of a set of standards, guidelines and practices to help organizations charged with providing the nation’s financial, energy, health care and other critical systems better protect their information and physical assets from cyber attack.

Like the first version, Version 1.1 of the framework was created through public-private collaboration via a series of recommendations, drafts and comment periods.

Changes to Version 1.1 include updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain and vulnerability disclosure, among others.

Review of changes

For one, the update has renamed the Access Control Category to Identity Management and Access Control to better account for authentication, authorization and identity-proofing.

It also has added a new section named “Section 4.0 Self-Assessing Cybersecurity Risk with the Framework” that explains how the framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements.

“The development of cybersecurity performance metrics is evolving. Organizations should be thoughtful, creative, and careful about the ways in which they employ measurements to optimize use, while avoiding reliance on artificial indicators of current state and progress in improving cybersecurity risk management. Judging cyber risk requires discipline and should be revisited periodically,” the document reads.

On the supply-chain front, an expanded Section 3.3 helps users better understand risk management in this arena, while a new section (3.4) focuses on buying decisions and (Read more...)