Attorneys At Law

News & Resources

NIST Proposes Updates to Cybersecurity Framework

By: Lidiya Kurin

On May 16, 2017, the National Institute of Standards and Technology (NIST) held a workshop discussing the proposed updates and feedback for version 1.1 of the federal Cybersecurity Framework – a set of industry standards and best practices developed to protect complex critical infrastructure from cybersecurity threats and infiltration.  Matthew Barrett, a NIST program manager, commented on the transition, addressing common concerns NIST received from industry leaders and cybersecurity practitioners. 

The original federal framework, version 1.0, was published in February 2014 and has been used in the United States as well as other countries around the world. In January 2017, NIST released a draft of version 1.1 reflecting feedback and frequently asked questions from industry practitioners implementing the original framework. Set to release in the fall of 2017, the four main updates to the framework include:

  • A new section on measuring and demonstrating cybersecurity;
  • An expansion of the guidelines for communicating cybersecurity risks to stakeholders;
  • Refinements to the Access Control Category, accounting for authentication, authorization, and identity proofing; and
  • An improved explanation of the relationship between Implementation Tiers and Profiles.

According to discussions between Barrett and the workshop attendees, practitioners currently working with version 1.0 will easily adapt to the updated edition, given its compatible design. In the new version, users have the option of adding and deleting subdivisions of the framework but are confined to the higher level parameters essential to the framework’s design. The draft was mostly criticized for its identity management requirements and the added section on measuring outcomes – many are concerned that NIST is changing too much at once. Industry experts were concerned that measuring outcomes would restrict cybersecurity, changing the framework from the current risk-based approach to a compliance, score-based system. Barrett clarified that the measurement was intended for self-assessment, implying the language of the final version would be clarified to reflect this intent. Finally, NIST resisted changing the title framework to remove its restriction to “critical infrastructure,” since the framework is already broadly applied beyond the existing 16 “critical” industry sectors.