Upon recognition and deeper understanding of massive threat of security fragmentation across the spectrum of the tech world, President Obama signed a cybersecurity executive order—called Executive Order 13636—with the intent of standardizing practices and providing a set of easily accessible best practices.
In February 2014, the United States National Institute of Standards and Technology (NIST) released the first version of the Cybersecurity Framework (CSF). The initial NIST CSF release has provided a useful set of optional standards and best practices to assist business leaders with efforts to ward off threats like ransomware, stolen data and anything else flowing from the devious minds of cybercriminals.
The Latest Update Takes the Original NIST CSF Version One Big Step Further
Upon entering office, President Trump and his administration recognized that, while the original release of the NIST CSF was indeed helping, it could become even more effective for businesses. In May 2017, the President signed a second executive order to provide the necessary updates to take NIST CSF to the next level, turning the framework created by the Obama administration into a full-fledged federal government policy.
On April 16, 2018, the resulting update was released and titled Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. This new version reinforces the original intent of the CSF as a framework developed to benefit companies of every size, industry and type. The CSF (the Framework) is meant to provide best practices and tools to aid business leaders in their approach to effectively prioritizing cybersecurity resources, assess risk and make appropriate decisions, and to take meaningful action to avoid and mitigate risk.
Further, CSF Version 1.1 augments cybersecurity communication within organizations, as well as with other organizations that may include vendors, partners, regulators and auditors.
Most importantly, these updates fit in seamlessly with the original framework. It is meant to benefit current framework users, as well as businesses newly adopting and implementing the Framework.
The 6 Points You Need to Know About the NIST CSF Update
The NIST CSF update largely aims to add clarity and guidance to its users, but it also adds some additional requirements to help users tighten up their best practices in assessing and managing cybersecurity risks.
Let’s take a closer look at each of the six new updates to the Framework to learn more about how they can boost your organization’s cybersecurity efforts.
1. The Clarification of Terms Like “Compliance”
Framework stakeholders may not always understand the precise definition of terms like “compliance” and may need additional clarification to determine the context. The NIST CSF update has added clarity, highlighting the fact that the Framework has its own specific structure and language that it uses to organize and express compliance to a company’s cybersecurity requirements. Further, the update gives each organization the freedom to establish its own measures for meeting NIST CSF compliance.
2. The Addition of Section 4.0 for Self-Assessment Guidance
The newly added Section 4.0, entitled “Self-Assessing Cybersecurity Risk with the Framework,” lays out how the Framework can now be used by companies to understand and assess their organization’s cybersecurity risk, including the use of the business’s own established measurements.
3. The Enhancement of Cyber Supply Chain Risk Management
Expanding on Section 3.3, “Communicating Cybersecurity Requirements with Stakeholders” provides better understanding of Cyber Supply Chain Risk Management (SCRM). Section 3.4, entitled “Buying Decisions,” goes on to feature the value of using the Framework to understand all risk associated with commercial off-the-shelf (COTS) products and services.
The update also provides new Cyber SCRM criteria for the Implementation Tiers.
4. Strategies and Refinements to Better Account for Authorization, Authentication and Identity Proofing
The NIST CSF update provides a more specific and refined language in the Access Control Category by adding one Subcategory each for Authentication and Identity Proofing. The new name, Identity Management and Access Control (PR.AC), better represents the scope of the Category and each of the associated Subcategories.
5. The Improved Explanation of the Relationship Between Implementation Tiers and Profiles Added
The 2018 update also provides a better explanation regarding the relationship between Profiles Added and the Implementation Tiers. With language added to Section 3.2, entitled “Establishing or Improving a Cybersecurity Program” when using Framework Tiers in Framework implementation, the update better reflects the integration of all Framework considerations within the context of the business’s risk management programs.
6. The Considerations Regarding Coordinated Vulnerability Disclosure
This new Subcategory was added to address concerns over the vulnerability disclosure lifecycle.
How Will the 2018 NIST CSF Updates Affect Your Organization?
The NIST CSF update is meant to further guide and assist you and your IT team in your cybersecurity efforts. The update, as well as the original Framework, is scalable to work within your organization and to your unique system’s specifications with the objective of assessing and minimizing cybersecurity risks.
Note that the NIST plans to release a supplementary document, entitled The Roadmap for Improving Critical Infrastructure Cybersecurity, to further assist you in your goals to achieve optimal cybersecurity. This document, slated for release in 2018 or 2019, will go into more detail describing key areas of development, alignment and collaboration in cybersecurity.
Our Team Can Help You Adopt and Implement the Latest NIST CSF Updates
Our I.S. Partners, LLC. auditing team has kept close watch on the NIST CSF’s continuing and diligent efforts to foster better cybersecurity for organizations just like yours. We can help you understand the finer points of all the new updates and how each one can benefit your business in the face of relentless and unpredictable cyber crimes.