The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released the first major overhaul of its Framework for Improving Critical Infrastructure Cybersecurity, which reflects public feedback collected over the last two years. The framework was finalized in 2014 with a focus on industries vital to national and economic security, including energy, banking, communications and the defense industrial base. It has since proven flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state and local governments.
In general, NIST Framework provides ﬁve core functions to be performed concurrently and continuously to form an operational culture focused on the constantly changing faces of cybersecurity risk. The core functions are:
Understand the business context, resources and related cybersecurity risks to prioritize efforts around business needs and management strategy.
Limit or contain potential cybersecurity events through access control, identity management, awareness and training, and protective technologies.
Implement appropriate activities to enable timely discovery of cyber security events, through continuous monitoring and detection processes.
Contain the impact of potential cybersecurity incidents through communications, response planning, mitigation and improvements.
Maintain plans for resilience and restoring capabilities or services that were impaired due to a cybersecurity incident through recovery planning and targeted communications.
The new version 1.1 of the Cybersecurity Framework, which was developed through public feedback collected in 2016 and 2017, includes updates to authentication and identity, self-assessing cyber risk, managing cybersecurity within the supply chain and vulnerability disclosure. Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment and collaboration. The process used to update the framework was published on the website to ensure all parties understand how future updates will be made.