NIST seeks comment on cyber-security framework update

A leading framework for addressing cyber-security is getting an update, and the National Institutes of Standards and Technology is looking for input.

NIST has issued a draft update of its Framework for Improving Critical Infrastructure Cybersecurity with new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cyber-security. The framework update is meant to further develop the voluntary steps that organizations can take to reduce their cyber-security risks.

The framework was initially published in February 2014 as a result of a presidential order meant to help protect the nation’s critical infrastructure, such as public utilities. It was developed based on input from industry, academia, and government agencies. The framework has since gained traction even in corporate circles and in a variety of other organizations as well, both in the U.S. and globally, NIST says. Even the audit profession is exploring whether companies would benefit from a cyber-security audit much the way they already have their financial statements audited.

The 2017 update incorporates feedback NIST has received through a variety of avenues over the past three years, including both solicited and unsolicited comment letters and feedback from at 2016 cyber-security framework workshop. 

The updated framework is meant to be easier to use, said Matt Barrett, NIST’s program manager for the cyber framework, in a statement. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation,” he said.

The update also includes a developed vocabulary to help organizations that want to apply the framework to cyber supply chain risk management, says NIST. That might include, for example, selecting a cloud service provider or selecting an IT system.

NIST also revised the framework to begin a dialogue on the notion of measuring cyber-security. “Measurements will be critical to ensure that cyber-security receives proper consideration in a larger enterprise risk management discussion,” said Barrett.

The draft framework is open for comment through April 10.