Last week, the National Institute of Standards and Technology (NIST) issued a draft update of its Framework for Improving Critical Infrastructure Cybersecurity, or as we call it in the biz, the Framework. This is the first proposed change since the voluntary guidelines were published in February 2014.
The Framework Version 1.1 contains an all-new section on the correlation between business results and cybersecurity risk management measures. There’s also additional guidance on how to use the Framework for cyber supply chain risk management (SCRM), identity management, and access control.
“We wrote this update to refine and enhance the original document and to make it easier to use,” says Matt Barrett, program manager for the Cybersecurity Framework. “This update is fully compatible with the original Framework, and the Framework remains voluntary and flexible to adaptation.”
What’s Our Take?
We’re in the process of studying these just-proposed changes and analyzing what they mean for our clients. While the Framework is not a panacea (wouldn’t that be nice?), it’s a great foundation for organizational cybersecurity. We look forward to reporting back soon. In the meantime, you can read the full text of Version 1.1. here.