The changes and refinements reflect feedback and comments from public and private sector stakeholders to an earlier draft update to the Cybersecurity Framework that NIST released in January 2017.
“NIST is hoping Framework version 1.1 will lead to a greater consideration of supply chain risk management [SCRM], cybersecurity within SCRM, and application of [the] Framework for that cybersecurity,” says Matt Barrett, NIST’s lead on the framework.
Firstly, Section 4.0, previously entitled Measuring and Demonstrating Cybersecurity, has been reframed as Self-Assessing Cybersecurity Risk with the Framework to better emphasize how organizations might use the Framework to measure their risk.
NIST clarified the use of the Framework to manage cybersecurity within supply chains by refining Section 3.3 Communicating Cybersecurity Requirements with Stakeholders.
NIST issued draft report NIST Interagency Report 8170 to support agency heads and senior cybersecurity leadership in Framework implementation planning.
This is a much anticipated update to the NIST Cyber Security Framework, and one I suspect will be quite useful for those organizations opting to take the time to learn how to leverage its capabilities.