Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:50 PM
Connect Directly

NIST Releases New Cybersecurity Framework Draft

Updated version includes changes to some existing guidelines - and adds some new ones.

The National Institute of Standards and Technology (NIST) has released the second draft of a proposed update to the national Cybersecurity Framework of 2014.

The draft document contains important changes to some existing guidelines, especially around self-assessment of cybersecurity risk, and introduces some new ones pertaining to authorization, authentication, identity proofing, and vulnerability disclosure.  

NIST also released a proposed update to its Roadmap for Improving Critical Infrastructure Security that describes planned future activities and topics to focus on for upcoming versions of the framework.

The changes and refinements reflect feedback and comments from public and private sector stakeholders to an earlier draft update to the Cybersecurity Framework that NIST released in January 2017. NIST will make draft 2 of the Framework open for public comment through close of day January 19, 2018 and will likely go live with the changes shortly after.

"NIST is hoping Framework version 1.1 will lead to a greater consideration of supply chain risk management [SCRM], cybersecurity within SCRM, and application of [the] Framework for that cybersecurity," says Matt Barrett, NIST’s lead on the framework.

The hope also is that the new self-assessment section and related topics in the Roadmap such as Governance and Enterprise Risk Management will prepare stakeholders for a discussion on how to better align cybersecurity measures to support business outcomes and decisions, he says.

NIST developed the Framework as required by the Cybersecurity Enhancement Act of 2014. It is designed to provide a formal framework for managing cyber risk in critical infrastructure organizations. The goal is to provide organizations in critical infrastructure with guidance on the processes, practices, and controls they can use to manage cyber risk in line with their business imperatives.

The Cybersecurity Framework establishes a common language for security models, practices, and controls across industries. At a high-level, the framework provides guidance on how organizations can identify, protect, detect, respond to, and recover from, cyber threats. It offers a tiered set of implementation practices that organizations can choose from to deploy and manage these capabilities. The methods, processes, and controls in the framework are based on globally accepted best practices and standards.

Mandatory for the Feds 

Until recently, adherence to the Framework was purely voluntary for everyone. But the Trump Administration's Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure in May has now made it mandatory for federal agencies, Barrett says. The order required agency heads to provide a risk management report to the White House Office of Management and Budget describing their plans to implement the Framework, he says. Originally designed for use by operators and owners of critical infrastructure, the Framework has become a de facto standard for developing and implementing cyber-risk management practices at organizations across all sectors.

The new version clarifies some of the language around cybersecurity measurement and provides more guidance on managing cybersecurity within the supply chain — an issue that has become critical in recent years. It also explains how the framework can be used to mitigate risk in the Internet of Things (IoT), operational technology and cyber-physical systems environments. In addition, NIST's updated Cybersecurity Framework makes some refinements to the identity and access management control category to accommodate changing requirements around authentication, authorization, and identity vetting.

"The NIST updates are meant to be a dynamic, working document," says Edgard Capdevielle, CEO of Nozomi Networks. "[They] cover a lengthy list of topics from confidence mechanisms, cyberattack lifecycles, beefing up the cybersecurity workforce, to reviewing supply chain risk management along with governance and enterprise risk management."

While critical infrastructures cannot adapt to all prescriptive guidance overnight, the framework serves as a good roadmap to start implementation of best practices, collaboration, and new security technologies, he says. 

"With Draft 2 of Version 1.1, I expect critical infrastructure operators and federal agencies to focus more closely on supply chain, especially as weak links there have contributed to several well-known data breaches," says Robert Vescio, managing director at Secure Systems Innovation Corporation (SSIC). "To reduce the impact of cyber incidents, it is crucial that each and every organization understands its role within the larger ecosystem, and actively contributes to proactively address emerging threats."

Vescio believes that while most organizations can benefit from the framework, adoption should remain voluntary. A forced adoption would destroy the concept of each organization tailoring security strategies to their risk appetite and lead to spending on irrelevant controls, he says.

"NIST CSF should be important to everyone," he says.  "Implemented correctly, [it] can help organizations evolve, while maintaining or working toward a pre-selected risk posture."


Q&A: Matt Barrett, NIST's Lead on the CyberSecurity Framework

(Excerpts from a Dark Reading email interview with Matt Barrett)

Q. What are the most significant changes in this draft?

Firstly, Section 4.0, previously entitled Measuring and Demonstrating Cybersecurity, has been reframed as Self-Assessing Cybersecurity Risk with the Framework to better emphasize how organizations might use the Framework to measure their risk. In acknowledgement of the wide variety of stakeholder perspectives on cybersecurity measurement and the need for a stakeholder dialog on the topic, the section was summarized and refined and NIST officially acknowledged Measuring Cybersecurity as an item on the Roadmap to Improving Critical Infrastructure Cybersecurity.

NIST clarified the use of the Framework to manage cybersecurity within supply chains by refining Section 3.3 Communicating Cybersecurity Requirements with Stakeholders. This included a simpler description of the parties involved in an organizations supply chain. We also further integrated cyber supply chain risk management language into the Implementation Tiers. This will better enable organizations to determine their current status and desired state with regard to cyber supply chain risk management practices.

We added a few Subcategories to account for authentication and coordinated vulnerability disclosure.

Q. Are federal agencies/critical infrastructure operators required to adopt the framework?

Yes. On May 11, 2017, the President issued Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Among other things, the order states that “each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order” and “describe the agency's action plan to implement the Framework.”

NIST issued draft report NIST Interagency Report (IR) 8170 to support agency heads and senior cybersecurity leadership in Framework implementation planning. The draft summarizes eight private sector uses of the Framework, which may be applicable for federal agencies. By leveraging NISTIR 8170, agencies can better understand how to implement the Framework in conjunction with other NIST cybersecurity risk management standards and guidelines.

Q. Going forward, do you expect agencies/CI operators to be assessed against their adherence or failure to adhere to the framework?

With increasing use of Framework, this topic increasingly comes up. Whether it will or won’t, NIST doesn’t have charter to control such things, nor latitude to comment. However, I will offer this up.

Given the increasing dependence of organizations on technology, digital trust is an increasingly important topic. In other words, not only does an organization need to manage their cybersecurity risk, but they also need to communicate it in various forms to suppliers, partners, customers, auditors, and regulators. Framework provides a basis for a standardized communication – increasing and organizations efficiency and reducing the chances of miscommunication – and it also provides the high-level methods of determining cybersecurity state, deciding desired state, and planning the improvements necessary to achieve the desired state. 

Organizations may elect to use Framework to self-assess cybersecurity risk and communicate judiciously with others. They may also enlist external parties to assess cybersecurity risk. For this reason, NIST continues to encourage and support private sector in evaluating and implementing Framework confidence mechanisms.

Q. How should organizations use the framework?

There are many ways to use Framework and all the varied uses have a value.Out-of-the-box and without alteration, Framework offers a common and accessible vocabulary for cybersecurity risk management. In its simplest form, that vocabulary is Identity, Protect, Detect, Respond, and Recover. This allows people who are not cybersecurity experts to participate in the cybersecurity dialog. 

The Framework is also meant to be customized for a given sector, subsector, or organization.  That customization ultimately means some form of prioritization. 

Framework has some native methods of customizing and prioritizing. For instance, Framework Profiles help an organization determine and communicate the outcomes that are most important for a given set of circumstances, whether those circumstances are derived from the technical environment, cybersecurity requirements such as law and regulation, or desired organizational objectives. Similarly, the Implementation Tiers of Framework help and organization decide how they would like to manage cybersecurity risk for a given part of the organization. 

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
12/7/2017 | 2:02:36 AM
NIST for 192.168.l.l
Hello Vijayan sir, I have been long-term fan of the NIST and I always try to implement what they bring in my company. And again I welcome this new innovation from NIST. Thanks for the article and information on DR.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.