11 Jan Summary of Pending NIST Cybersecurity Framework (CSF) Changes in Version 1.1 Draft 2
By Bob Heckman, Vice President and Chief Information Security Officer, Cybersecurity Center of Excellence, Criterion Systems, Inc.
In early December, NIST released a new draft of the Cybersecurity Framework (CSF), NIST CSF V1.1. This new draft seeks to clarify, refine, and enhance the original version. Expanded and more effective use and sharing of best practices of this voluntary Framework are the next steps to improve the cybersecurity of our Nation’s critical infrastructure – providing evolving guidance for individual organizations while increasing the cybersecurity posture of the Nation’s critical infrastructure and the broader economy and society. See below for a summary of the major changes as well as further information on NIST’s updated companion document: NIST Roadmap for Improving Critical Infrastructure Cybersecurity.
The Cybersecurity Enhancement Act of 2014
The Cybersecurity Enhancement Act of 2014 (P.L. 113-274) amended the NIST Act (P.L. 113-274) to say “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure.” In addition, Executive Order (EO) 13636:
- requires that the EO include a set of standards, methodologies, procedures, and processes that align policy, business, and technical approaches to address cyber risks;
- provides a prioritized, flexible, repeatable, performance based, and cost-effective approach to help owners and operators of critical infrastructure:
- identify, assess, and manage cyber risk;
- identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations;
- be consistent with voluntary international standards.
Furthermore, EO 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, requires Federal agency heads to use the CSF and provide a risk management report with 90 days containing a description of the agency’s action plan to implement the CSF.
NIST CSF V1.1 Draft 2
On December 5, 2017, NIST released the NIST CSF V1.1 Draft 2. This draft Ver 1.1 of the NIST CSF seeks to clarify, refine, and enhance the original version of the NIST CSF. Updates were derived from feedback that NIST has received since publication of NIST CSF V1.0, including more than 120 comments on the January 2017 Draft Ver 1.1 and input from the May 2017 Workshop.
Ver 1.1 Draft 2 states that the NIST CSF is applicable for technology including information technology; operational technology; cyber-physical systems, and Internet of Things (IOT). Also, Ver 1.1 Draft 2 states that NIST CSF is applicable to all phases of the system lifecycle including design, development, deployment, operation, and decommissioning.
Major Pending Changes to NIST
The following is a summary of the major pending changes along with some supporting notes in the draft V1.1:
- General Changes:
- Added 1 new subcategory each to Data Security under the Protect function; to Protective Technology under the Protect function; and to Analysis under the Respond function.
- Clarified the language in 7 other subcategories.
- Updated the informative references.
- Added a new Cyber Supply Chain category under the Identify function and added 5 new subcategories. The primary objective of cyber supply chain risk management (SCRM) is identify, assess, and mitigate cyber-related products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within supply chain. Enhanced Section 3.3 guidance for applying the CSF for SCRM including management of cybersecurity within supply chains and for acquisition decisions, as well as updated entity diagram and taxonomy. Incorporates supply chain considerations into the “External Participation” property of Implementation Tiers.
- Added 2 new subcategories (Identity Proofing and Authentication) to Identity Management, Authentication, and Access Control category under the Detect function. Category language was refined to add the concept of and better account for authentication, authorization, and identity proofing.
- Refined and simplified the guidance on self-assessment of cybersecurity risk using the CSF, including use of CSF-based measurement. Emphasizes the role of measurement in self-assessment and stresses the critical linkage of business results including cost/benefit to cybersecurity risk management.
- Refined implementation tier criteria and clarified use of implementation tiers and their relationship to profiles through modifications to “hour glass graphic” and inclusion in the NIST CSF 7-Step Process.
- Added the concept of and better accounts for emerging vulnerability information (i.e., Coordinated Vulnerability Disclosure). A new subcategory related to the vulnerability disclosure lifecycle was added to Analysis under the Respond function because organizations need to incorporate vulnerability data and identify emerging risks and use cyber threat information from internal and external sources to gain and facilitate a better and more robust understanding of the likelihood and impact of cybersecurity events.
- Removed Federal Alignment Section from NIST CSF Ver1.1 Draft 1. With the publication of U.S. Federal policy, memorandum, and guidance (e.g., EO 13800, OMB Memorandum M-17-25, and the draft NIST Interagency Report 8170) on NIST CSF use, federal applicability statements are no longer needed in the NIST CSF publication.
Companion Document: NIST Roadmap for Improving Critical Infrastructure Cybersecurity
In addition, NIST has published an updated companion document, NIST Roadmap for Improving Critical Infrastructure Cybersecurity, Draft 2 of Framework Version 1.1 focuses on clarifying, refining, and enhancing the NIST CSF. This Roadmap highlights key “areas of improvement” for further development, alignment, and collaboration and provides a description of activities related to the NIST CSF.
Some of the new areas of improvement include:
- Coordinated Vulnerability Disclosure
- Governance and Enterprise Risk Management
- Measuring Cybersecurity
- Referencing Techniques
- Small Business Awareness and Resources.
Roadmap items are generally topics that are meaningful to critical infrastructure and cybersecurity risk management; focus areas of both private sector and the federal government; and related to the NIST CSF, but managed as separate efforts.
The Framework is a living document and will continue to be updated and improved as industry provides feedback on implementation. NIST will continue coordinating with the private sector and government agencies at all levels. As the Framework is put into greater practice, additional lessons learned will be integrated into future versions. This will ensure the Framework is meeting the needs of critical infrastructure owners and operators in a dynamic and challenging environment of new threats, risks, and solutions.