NIST releases first major update to cybersecurity framework

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released the first major overhaul of its Framework for Improving Critical Infrastructure Cybersecurity on Monday, which reflects feedback collected over the last two years.

Also known as the “Cybersecurity Framework,” the voluntary standards and best practices were finalized in 2014 for industries vital to national and economic security, including banking, energy, communications, and defense. Version 1.1 updates to the Cybersecurity Framework address authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure.

Walter Copan, the under secretary of commerce for standards and technology and director of NIST, said the release of the Cybersecurity Framework Version 1.1 marks “a significant advance” and reflects the success of the public-private model in addressing cybersecurity challenges.

“From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry, and academia,” Copan said. “The impact of their work is evident in the widespread adoption of the framework by organizations across the United States, as well as internationally.”

U.S. Rep. Jim Langevin (D-RI), co-founder and co-chair of the Congressional Cybersecurity Caucus and a member of the U.S. House Armed Services Committee and U.S. House Homeland Security Committee, said the Cybersecurity Framework has helped countless organizations voluntarily assess cybersecurity risk posture, identify gaps and prioritize best practices since its 2014 release.

“As demonstrated by the Russian government’s targeting of our election systems, however, the cybersecurity threats to our critical infrastructure continue to evolve,” Langevin said. “Today’s release marks an important evolution of the framework that will ensure it remains relevant as risk management practices change to keep pace with the threat. I congratulate NIST for continuing its commitment to partner with diverse stakeholders representing government, private industry, academia and civil society in developing this update, which will help all adopters, from small businesses to government agencies, improve their cybersecurity posture.”

However, Langevin also cited “missed opportunities” of Version 1.1 updates.

“While I appreciate NIST’s decision to continue to explore ways to measure the cost effectiveness of cybersecurity, I do believe this revision was a missed opportunity to provide more concrete guidance on ways to quantify risk,” he said. “Cybersecurity is not just a technical issue, and an understanding of the economics of controls is essential if we expect companies to adopt them voluntarily.”