NIST Reviews Comments on Updated Cyber Framework

The comment deadline is Monday for changes introduced to the National Institute of Standards and Technology (NIST) draft update to its Framework for Improving Critical Infrastructure Cybersecurity. 

The proposed update aims to further develop voluntary guidelines for organizations to reduce cybersecurity risks. It provides details on managing cyber supply chain risks, clarifies key terms and introduces measurement methods for cybersecurity, the agency states. 

For the first time, the framework includes a section about measuring the performance and maturity of organizations' cyber risk programs—a move that could prove decisive for securing enterprises, says Steven Grossman, vice president of strategy and enablement for the cybersecurity and risk management firm Bay Dynamics. "It’s not just about technical metrics, but how do [security practices] impact the business," Grossman says. "If you don’t have insight and visibility into what you’re trying to protect, how well you’re protecting it and where your gaps are, you obviously can't do a very effective job at protecting yourself."

NIST has been soliciting industry input on the cybersecurity framework, published in February 2014 in response to a presidential executive order and following a collaborative process involving industry, academia and government agencies. 

"We wrote this update to refine and enhance the original document and to make it easier to use," Matt Barrett, NIST’s program manager for the cybersecurity framework, says in a statement. "This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation."

The NIST update focuses on the need to measure not only the internal processes of cybersecurity but also the business outcomes related to those processes, Grossman explains. Measurements traditionally have been based on the number of network patches, updates applied or perceived threats defeated without factoring in the overall outcomes. "But if you patched vulnerabilities on low-value targets, you haven't done a great job protecting your organization, even though your metric is technically going up," he says.

NIST's proposed update provides examples of cyber supply chain risk management, which include a small business selecting a cloud service provider or a federal agency contracting with a system integrator to build an IT system. In the renamed and revised "identity management and access control" category, the draft clarifies and expands the definitions of "authentication" and "authorization," the agency states. 

"In the update, we introduce the notion of cybersecurity measurement to get the conversation started," Barrett says. "Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion."

The 2017 draft Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 incorporates feedback since the release of framework version 1.0 and comments from the December 2015 request for information. For the last few days of the present comment period, send remarks to cyberframework@nist.gov.

"No framework is perfect and no methodology is perfect, but what it did do was create a common language and a common framework for everybody to work from," Grossman says. "More than anything else, that's been its tremendous value.”