The National Institute of Standards and Technology (NIST) announced this week that it has published a second draft of a proposed update to the “Framework for Improving Critical Infrastructure Cybersecurity,” better known as the NIST Cybersecurity Framework.
Introduced in 2014, the framework is designed to help organizations, particularly ones in the critical infrastructure sector, manage cybersecurity risks. Some security firms and experts advise businesses to use the NIST Cybersecurity Framework as a best practice guide. Others, however, believe such static guidelines cannot keep up with the constantly evolving threat landscape, and malicious actors may even use it to devise their attack strategy.
The Cybersecurity Framework was developed based on an executive order issued by former U.S. president Barack Obama. A cybersecurity executive order issued by the current administration of Donald Trump also requires federal agencies and critical infrastructure operators to use the framework.
Nearly four years have passed since the Cybersecurity Framework was released and NIST is now working on an updated version. A first draft was released in January and a second draft was made available on December 5.
According to NIST, the second draft for version 1.1 of the Cybersecurity Framework “focuses on clarifying, refining, and enhancing the Framework – amplifying its value and making it easier to use.”
The second draft also comes with an updated roadmap that details plans for advancing the framework’s development process.
The modifications are based on 120 comments submitted in response to the first draft and discussions between 500 individuals who attended a workshop back in May.
Comments and feedback on the second Cybersecurity Framework draft can be sent to NIST (cyberframework(at)nist.gov) until January 19, 2018. The organization has fallen behind on the development of the updated framework – it had initially anticipated that the final V1.1 would be published this fall, but it now hopes to have it done in “early calendar year 2018.”
NIST is particularly interested in learning if the revisions in version 1.1 reflect the changes in the current cybersecurity ecosystem, and the impact of the updated version on organizations currently using version 1.0 of the framework.