The changes and refinements reflect feedback and comments from public and private sector stakeholders to an earlier draft update to the Cybersecurity Framework that NIST released in January 2017.
“NIST is hoping Framework version 1.1 will lead to a greater consideration of supply chain risk management [SCRM], cybersecurity within SCRM, and application of [the] Framework for that cybersecurity,” says Matt Barrett, NIST’s lead on the framework.
Firstly, Section 4.0, previously entitled Measuring and Demonstrating Cybersecurity, has been reframed as Self-Assessing Cybersecurity Risk with the Framework to better emphasize how organizations might use the Framework to measure their risk.
NIST clarified the use of the Framework to manage cybersecurity within supply chains by refining Section 3.3 Communicating Cybersecurity Requirements with Stakeholders.
NIST issued draft report NIST Interagency Report 8170 to support agency heads and senior cybersecurity leadership in Framework implementation planning.
The guidance will look familiar to those that have studied the Australian Signals Directorate’s to-do list (which El Reg calls the “don’t be stupid” list).
The NIST publication covers access control, awareness and training, audit and accountability, configuration management, ID and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, system and information integrity.
And yes, the kind of advice it gives would have helped the DBP – for example, agencies should “separate the duties of individuals to reduce the risk of malevolent activity without collusion”, and should “employ the principle of least privilege, including for specific security functions and privileged accounts”.
Most cyber security guidelines could be classified under the guise of “don’t be stupid”. The problem is so many organizations are just simply lazy, they take the easy way out and choose not to implement best practices.