- In an effort to help organizations continue to improve their cybersecurity risk management in critical infrastructure, NIST released a revised draft of its Cybersecurity Framework last week.
The second draft of the Framework for Improving Critical Infrastructure Cybersecurity (The Framework) took in received comments and worked to clarify and refine the Framework, NIST explained in the executive summary.
“The Framework enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving security and resilience,” NIST wrote. “The Framework provides a common organization and structure to today’s multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively today.”
“Moreover, because it references globally recognized standards for cybersecurity, the Framework can serve as a model for international cooperation on strengthening critical infrastructure cybersecurity.”
The Framework is meant to be a living document and will be updated and improved as necessary, NIST explained. Each organization is different, and will therefore need to utilize varied tools and methods to properly address its potential risks. However, the Framework “provides a common taxonomy and mechanism,” the draft stated.
Organizations can use the Framework to describe their current cybersecurity posture, describe their cybersecurity target state, and identify and prioritize opportunities for improvement within the context of a continuous and repeatable process.
Furthermore, entities can assess their progress toward that cybersecurity state and also learn how to communicate with internal and external stakeholders about cybersecurity risk.
“The Framework uses risk management processes to enable organizations to inform and prioritize decisions regarding cybersecurity,” NIST wrote. “It supports recurring risk assessments and validation of business drivers to help organizations select target states for cybersecurity activities that reflect desired outcomes.”
NIST added that the Framework is not meant to replace existing processes, and that organizations should overlay their current approach with the Framework. From there, entities can determine if there are cybersecurity gaps and work toward addressing them.
“The Framework provides a means of expressing cybersecurity requirements to business partners and customers and can help identify gaps in an organization’s cybersecurity practices,” the draft read. “It also provides a general set of considerations and processes for considering privacy and civil liberties implications in the context of a cybersecurity program.”
Organizations can also use the Framework “to measure and assign values to their risk along with the cost and benefits of steps taken to reduce risk to acceptable levels.” When entities are able to measure their potential risk, the costs associated with fixing that risk, and understand the benefits of cybersecurity strategies, they can create a more effective cybersecurity approach overall.
“Self-assessment and measurement should improve decision making about investment priorities,” NIST said. “For example, measuring – or at least robustly characterizing – aspects of an organization’s cybersecurity state and trends over time can enable that organization to understand and convey meaningful risk information to dependents, Suppliers, Buyers, and other parties.”
NIST previously released an updated draft in January 2017.
“This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation,” explained Matt Barrett, NIST’s program manager for the Cybersecurity Framework.
The January update also introduced the idea of cybersecurity measurement, which “will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion,” Barrett added.
NIST also requested feedback on the following areas:
- the variety of ways in which the NIST Cybersecurity Framework is being used to improve cybersecurity risk management,
- how best practices for using the NIST Cybersecurity Framework are being shared,
- the relative value of different parts of the NIST Cybersecurity Framework,
- the possible need for an update of the Framework, and
- options for the long-term management of the Framework.
Public comments on the recent draft must be submitted by January 19, 2018. NIST said that a finalized Framework will likely be released in Spring 2018.