NIST Hosts Webcast on Latest Cybersecurity Framework Draft
On December 20, 2017, the National Institute of Standards and Technology (NIST) hosted a webcast on Version 1.1 Draft 2 of the NIST Cybersecurity Framework. NIST released Version 1.1 Draft 2 and its accompanying Roadmap on December 5, 2017. Our summary can be found here.
The Framework seeks to provide “a prioritized, flexible, repeatable, performance-based, and cost-effective approach to managing cybersecurity risk at all levels in an organization and is applicable to organizations of all sizes and sectors.” With Version 1.1, NIST hopes to cause as little disruption as possible to current Framework implementation.
Part One: Framework Overview
The first half of the webcast provided a broad overview of the Framework and its history. NIST released Version 1.0 of the Framework on February 12, 2014. It issued an update–Version 1.1 Draft 1–on January 10, 2017. Version 1.1 is meant to refine, clarify, and enhance Version 1.0. We have previously analyzed Version 1.0 and Version 1.1 Draft 1.
Matt Barrett, Program Manager for the NIST Cybersecurity Framework, described the Framework’s structure and how organizations utilize the document. He noted that the Framework is gaining traction internationally and is already used in various countries around the world. For example, Bermuda’s government uses the Framework and recommends that industry do the same. The Framework has been translated to Japanese, Italian, and Hebrew. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are also examining the Framework, and they may publish a related technical report in the future.
Part Two: Framework Version 1.1 Draft 2
The second half of the webcast discussed changes to the Framework in Version 1.1 Draft 2. NIST intends for Draft 2 to clarify, refine, and enhance the original version of the Framework. The Draft’s updates are derived from feedback since publication of Framework Version 1.0 and Version 1.1 Draft 1. Stakeholders have submitted feedback through comments, workshops, and various NIST outreach engagements.
Mr. Barrett said that the feedback has prioritized Framework clarity. Stakeholders do not want a complete overhaul of the Framework and have emphasized the need for compatibility with Version 1.0. He noted the major changes in Draft 2, which include:
- Guidance for Self-Assessment using the Framework;
- Guidance on how to apply the Framework to Supply Chain Risk Management;
- The inclusion of Authorization, Authentication, and Identity Spoofing in the Framework Core;
- The inclusion of Coordinated Vulnerability Disclosure in the Framework Core; and
- Refined Tier criteria and increased clarity of the implementation Tiers.
The revised Roadmap is meant to identify key areas of further development, alignment, and collaboration. Mr. Barrett discussed specific revisions to the Roadmap, which we explore in depth in our analysis of Version 1.1 Draft 2.
Public comments on Version 1.1 Draft 2 are due January 19, 2018. Comments may be submitted to cyberframework@nist.gov. NIST intends to publish the final Framework Version 1.1 in early 2018 and will hold a workshop in 2018, on a to-be-determined date.
***
For years, Wiley Rein has been actively engaged with NIST on cybersecurity. We have advised numerous companies on how evolving cybersecurity expectations will impact them, including concerns related to regulatory obligations, consumer communications, and government contract provisions.
We are happy to answer questions you may have.