Attorneys At Law

News & Resources

CLIENT ALERT: NIST Releases Cybersecurity Framework Version 1.1 with Important Updates

On April 16, 2018, the National Institute of Standards and Technology (“NIST”) released Version 1.1  of the Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”).  Although the Framework is drafted to protect complex critical infrastructure vital to national and economic security, companies of all sizes have adopted the Framework as industry standards and best practices to protect against cybersecurity threats and infiltration.  In addition, on May 11 2017, President Trump issued an Executive Order directing all federal agencies to follow the Framework. 

NIST first published the original Framework, Version 1.0, in 2014 and released two drafts of Version 1.1 for public comment (additional reporting on the draft Version 1.1 is available here).  The final Version 1.1 includes several key updates, including:

  • Adding Section 4.0 “Self-Assessing Cybersecurity Risk with the Framework” to explain how organizations can use the Framework to evaluate cybersecurity risks.
  • Refining language in the Access Control Category to better account for authentication, authorization, and identity proofing.
  • Adding a definition of “cybersecurity incident” separate from the definition of “cybersecurity event.”
  • Adding a subsection on coordinated vulnerability disclosure lifecycles.
  • Expanding Section 3.3 “Communicating Cybersecurity Requirements with Stakeholders” to manage cybersecurity within the supply chain.
  • Clarifying the relationship between implementation tiers in Section 3.2 “Establishing or Improving a Cybersecurity Program.”

To complement Version 1.1 of the Framework, NIST intends to release an update to the Roadmap for Improving Critical Infrastructure Cybersecurity (the “Roadmap”) later this year.  The Roadmap, a companion document to the Framework, describes NIST’s plans for future iterations of the Framework and identifies key areas of development, alignment, and collaboration. 

NIST will host a free webinar explaining the details of Version 1.1 of the Framework on April 27, 2018 at 1:00pm EST.  NIST will also feature the recent updates to the Framework at its Cybersecurity Risk Management Conference in Baltimore, Maryland this November.

Companies of all sizes should carefully review the updated Framework and consider implementing the suggested best practices.  Our firm is available to answer questions about the new Framework and assess contractor compliance with related cybersecurity regulations.

By: Kristin A. Tisdelle