NIST Releases New Cybersecurity Framework Version 1.1
After more than two years of development, the National Institute of Standards and Technology (“NIST”) released its new Version 1.1 of the NIST Cybersecurity Framework on Monday. The NIST Cybersecurity Framework (The Framework), which was originally published in 2014, is a collaborative, voluntary, and industry-driven set of cybersecurity standards and best practices for public and private sector organizations of all sizes.
Cybersecurity Is Critical To Overall Enterprise Risk Management
As we have written in the past, most businesses are failing at cybersecurity. In the wake of high-profile cybersecurity and privacy incidents, however, most businesses are recognizing that cybersecurity is not a separate risk management consideration or a “value add.” Rather, cybersecurity is critical and should be integrated into an organization’s overall enterprise risk management program. As explained by Version 1.1 of the Framework, “The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes.” For example, Version 1.1 of the NIST Framework contains a number of improvements for using the Framework’s Cyber Supply Chain Risk Management section, which outlines risks associated with commercial off-the-shelf products and services.
Version 1.1 Is A Key Step In Comprehensive Management of Cybersecurity
Version 1.1 of the Framework also fulfills NIST’s ultimate goal of disseminating a flexible, scalable, and adaptable program that meets the cybersecurity needs of all organizations. While practicality is a key feature of the 2016 NIST publication “Small Business Information Security: The Fundamentals”, critics of the prior Framework noted that the Framework, while comprehensive, was not easy to implement. To address these concerns, Version 1.1 of the Framework refined its explanation of how the Framework should be integrated into an organization’s existing cybersecurity program. Like the prior Framework, an organization is free to choose how it implements Version 1.1 of the Framework, which can depend on the organization’s cybersecurity needs and specific technological resources and systems. At any level of implementation, however, the Framework can enhance and clarify any given organization’s approach to cybersecurity. Version 1.1 of the Framework also contains a new section on self-assessment that explains exactly how the Framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements.
The Framework has been influential across the world, with many countries embracing the Framework’s voluntary, bottom-up approach to enhancing cybersecurity. Version 1.1 of the Framework is a key step forward in comprehensively managing cybersecurity risks across industries in a cost-effective way without placing mandatory, additional regulatory requirements on businesses and organizations. Importantly, as we continue to face collective global challenges posed by pervasive technology and the weaponization of cyberspace — as illustrated recently by the joint U.S.-U.K. warnings about Russian cyberattacks against government and private organizations, as well as individual homes — domestic norms and standards become increasingly important to the United States’ overall national defense strategy and cyber resilience.