Written by Jim Halpert and Michelle Anderson

The National Institute of Standards and Technology (NIST) released proposed revisions (draft Version 1.1) to its Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”) on January 10, 2017. The latest draft is intended to “refine, clarify, and enhance” Version 1.0, released in February 2014 in response to Executive Order 13636 – Improving Critical Infrastructure Cybersecurity.

Notable changes in draft Version 1.1 include:

  • Additional information on mitigating supply-chain risks. NIST expanded Section 3.3 (“Communicating Cybersecurity Requirements with Stakeholders”) to address the importance of communicating and verifying cybersecurity requirements among stakeholders as part of cyber supply chain risk management (SCRM). In addition, NIST added SCRM as a property of the Implementation Tiers (Section 2.2) and to the Framework Core under the Identify Function.
  • A new section (Section 4.0) on cybersecurity measures and metrics. NIST notes that by using metrics and measurements the Cybersecurity Framework can be used as the basis for assessing an organization’s cybersecurity posture. According to the draft, “metrics” help “facilitate decision making and improve performance and accountability” while “measurements” are “quantifiable, observable, objective data supporting metrics.” For example, organizations can measure system uptime—and this measurement can be used as a metric against which an individual responsible for developing and implementing appropriate safeguards to ensure delivery under the framework’s Protect Function can be held accountable.

NIST invites comments on draft Version 1.1. Comments are due by April 10, 2017, and can be sent to cyberframework@nist.gov. After reviewing these comments and convening a workshop, NIST intends to publish a final Framework Version 1.1 in Fall 2017.

NIST reiterates that “[a]s with Version 1.0, use of the Version 1.1 is voluntary,” and says that users of Version 1.1 may “customize the Framework to maximize organizational value.”

That said, NIST’s encouragement of using cybersecurity measures and metrics for internal organizational accountability could lead to the creation of metrics that can also be used by third parties (e.g., regulators) to hold organizations accountable under the framework. While it remains to be seen what the Federal Trade Commission (FTC) will do under the incoming Trump administration, the FTC (and other regulators) could use such metrics as the bases for enforcement actions. Indeed, there is significant overlap between what the FTC considers to be “reasonable” security and the Cybersecurity Framework. According to the FTC’s blog post on The NIST Cybersecurity Framework and the FTC, “The types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determine whether a company’s data security and its processes are reasonable. By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement.”

According to NIST, this latest draft incorporates feedback to Version 1.0, responses to its December 2015 request for information, and comments from NIST’s April 2016 Cybersecurity Framework Workshop.