Substantial NIST Revisions Eye Supply Chain, Analytics Security

Dan Gunderman

Last week, the National Institute of Standards and Technology (NIST) announced the second draft of a measure set to update the Framework for Improving Critical Infrastructure Cyber Security, otherwise known as the Cyber Security Framework (CSF).

Version 1.1, Draft 2 is set to clarify certain areas of NIST as it affects the larger cyber security operations of the enterprise. NIST also released an updated draft to Roadmap to the Cyber Security Framework, outlining cross-sector efforts to support the document, according to the National Law Review.

NIST was originally established in 2013, under Executive Order 13636. Jamal Hartenstein, senior program manager for California Public Employees Retirement System’s (CalPERS’) IT Security Roadmap Program, told Cyber Security Hub that when the presidential order generated the demand for the governing body of frameworks, it could not immediately be carried out to full potential – without more information sharing on threats and the larger landscape.

“The new focus of the Framework will be applicable to unique threat exposure, business objectives, and the appetites for risk of each of the various types of organizations who are expected, by law, to utilize the Framework,” Hartenstein said.

The latest NIST draft is said to be consistent with 1.0, so that no sweeping overhaul would be required to adhere to the new measure. In fact, 1.1 is aiming for “minimal or no disruption” for Framework users.

Yet the update also stands alone and expands on certain principles.

See Related: State Of The Union: Trends In Cyber Security Laws, Policies

For one, the update underscores the Framework’s applicability to all sectors, and enterprises of various sizes. While the NIST CSF was intended to protect critical cyber security infrastructures, the current iteration stresses its significance with all enterprise communities. This includes private businesses, government agencies and nonprofits. Similar to the founding Framework, 1.1 encourages users to customize the principles to their operations. This aims to “maximize individual organizational value.”

The NIST broadening falls in line with other relevant publications suggesting that the Framework can be carried out and adhered to in many different systems – with the aim of limiting threats and improving an enterprise’s risk management abilities.

The 1.1 version is also technology-neutral, and can be implemented on a number of levels – meaning for organizations that focus in information technology (IT), cyber-physical systems (CPS) or interconnected devices – the growing network called the Internet of Things (IoT).

One of the more significant changes with 1.1 is its focus on cyber security along the supply chain – and the inherent risk embedded there. NIST says that supply chain risk management (SCRM) must factor in an organization’s internal and external behavior and repercussions, as they relate to cyber activity and vulnerabilities, etc. These changes are inserted into the revision’s Cyber Security Implementation Tiers, which structure each level based on the maturity of an organization’s security programs, and their overall awareness.

As explained, Tier 1 organizations are on the lower side of the structure, being generally unaware of supply chain risks. Meanwhile, Tier 4 organizations use real-time information tools to flesh out threats and act consistently. The draft suggests an all-around acknowledgement of risks along the chain.

See Related: CISOs: Is Cyber Insurance On Your Radar?

Analytics also appears to be emerging as a priority in the revision – and it is a common theme in the organizational effort to streamline cyber security functionality. A proposed new section of NIST suggests self-assessing cyber risks – and using effective metrics to do so. The text says that metrics can “facilitate decision making and improve performance and accountability.” The revision falls in line with a recent NIST publication (800-171A), which clarifies the types of “assessments.”

Last Wednesday, Larry Clinton, president and CEO of the Internet Security Alliance (ISA), said the 1.1 revisions may be more substantial than the actual founding Framework.

“To begin with, the new draft makes it clear that our goal is not some undefined metric for use of the Framework, but for effective use of the Framework,” he said, according to SC Magazine. The ISA head said that the use-metric must be “calibrated” to the threat picture and risk appetite of an organization. He called these options a “stark contrast” to some other “antiquated regulatory models” used in other parts of the world.

The intuitive NIST model will likely stand as a prime example of building on prior success, as cyber lessons learned through each version will likely be incorporated into the Framework.

The latest draft is open for public comment through Jan. 19.