On April 16, 2018, NIST did something it never did before. It updated its popular Cybersecurity Framework. For those who have the old guidance down pat, no worries. Version 1.1 is fully compatible with the 2014 original, and essentially builds upon rather than alters the prior document. To get you quickly up to speed, here’s a list of the five most significant Framework clarifications and revisions:
- You can’t comply with the Framework! Although companies can comply with their own cybersecurity requirements and they can “use” or “leverage” the Framework to determine and express those requirements, NIST says there is no such thing as being “in compliance” with the Framework.
- Don’t use the Framework Core as a checklist of actions. Categories (take for example “Data Security”) and their related Subcategories (such as “Data-at-rest is protected”) are a collection of potential “outcomes,” not actions. This distinction affirms the Framework’s risk management approach, as opposed to a prescribed list of controls. Whether and how to reach a particular end-state is a risk decision. Keeping this in mind, consider again the subcategory “Data-at-rest is protected.” Now search the Framework for the word “encryption.” You won’t find it.
- Execute response plans during or after an incident, not an event. The original Framework defined the term “cybersecurity event,” but not “cybersecurity incident.” It then tied response plans to events. The problem is that events include every change that “may” have an impact on organizational operations, and typically do not justify executing response processes and procedures. The revised Framework defines an incident as an event once it is determined to have an impact. The upshot? Incident Response Plans are in, Event Response Plans are out, and responders will have fewer fire drills.
- Use the Framework to assess your cybersecurity risk. Version 1.1 adds an entirely new section that describes the importance of measuring “investment effectiveness and cybersecurity activities.” Unfortunately, valid cybersecurity metrics remain as elusive today as when the Framework first came out. This leaves NIST in the awkward position of encouraging organizations to “innovate and customize,” and to be “thoughtful” and “creative” when using measurements, while simultaneously warning them to avoid “artificial indicators,” to be “careful,” to “have discipline,” and to “be clear about the limitations of measurements that are used.” The first to figure it out wins.
- Practice Supply Chain Risk Management and make better buying decisions. The revised Framework recommends that organizations address how their cybersecurity affects others, and how the cybersecurity of others affects them. This includes understanding business-specific cybersecurity risks associated with products and services, and assessing the quality of manufacturing and development practices.
As a closing thought, the NIST revision marks an important milestone. Since its release, the Framework has been embraced well beyond its target audience of U.S. critical infrastructure. It has been used to improve the security of information technology, operational technology and connected devices the world over. Now, with this revision, the Framework has achieved its own highest recognition: it’s adaptive.