NIST Accepting Comments on the Second Draft of the Cybersecurity Framework
NIST published Version 1.1 or the second draft of the revised Cybersecurity Framework. Version 1.0 or the first Cybersecurity Framework was published in 2014. Its purpose was to help operators and critical infrastructure owners to evaluate their risk profiles and improve their capability to stop, identify and respond to cyberattacks. The framework established a common language for security models and practices applicable to all industries.
The framework is patterned after cybersecurity best practices and standards that are globally accepted. Many private and public organizations adopted the framework to implement a more effective approach to risk management. Soon after the release of the CSF, the organizations sent NIST numerous comments on how to improve the framework’s usability. The feedback were taken and incorporated in the CSF’s first revised draft published in January 2017.
The Cybersecurity Enhancement Act of 2014 was the reason the NIST CSF was created. The first version did not meet all the requirements of the Act. But the latest draft has several refinements added to come closer to satisfying the requirements of the Act. These include: clarification of language relating to cybersecurity measurement; guidance on improving supply chain security; and improvements to mitigate risk of IoT devices and operational technology. The Roadmap for Improving Critical Infrastructure Security has been updated by NIST as well. The update included the topics that will be considered for future revisions of the CSF.
It is not mandatory to adopt the Framework for most organizations. It is their option to choose which cybersecurity risk management practices they like to implement. But for all federal agencies, it is mandatory to adopt the Framework according to the Presidential Executive Order on Strenghtening the Cybersecurity of Federal Networks and Critical Infrastructure in May 2017.
The NIST will accept comments on the second version of the Cybersecurity Framework until January 19, 2018 to prepare for the final version of the CSF to be released in Spring 2018.