hacker at a computer screen

The NIST Cybersecurity Framework gets a reboot with Version 1.1

The NIST Cybersecurity Framework is the US standard regulated by the National Institute is Standards and Technology. The original version set out in February 2014 has now been updated to Version 1.1. Let’s take a look at what’s changed.

What is the NIST Cybersecurity Framework?

Created by the US National Institute of Standards and Technology, the NIST Cybersecurity Framework (NIST CSF) is a set of policies for private sector organisations to follow to assess their cyber risk.

The NIST CSF is divided into three sections; Core, Profile and Tiers. The Framework Core involves answering questions that relate to the organisation’s approach to cybersecurity. Framework Profiles are outcomes that the organisation wants, based on their needs and risks. And the Framework Tiers are created by the organisation and include needs that arise from risk assessments.

What are the updates to the NIST Cybersecurity Framework?

“We didn’t want to change the framework substantially so the two frameworks could work with each other.”

Matt Barrett – NIST Cybersecurity Framework Program Manager


Clarification of the term ‘compliance’

NIST recognises that the term ‘compliance’ could mean different things to different people because of the different ways in which the framework can be used. They have stated that the Cybersecurity Framework works as a “structure and language for organising and expressing compliance with an organisation’s own cybersecurity requirements”“.


New Self-Assessment section

NIST has added ‘Section 4.0 Self-Assessing Cybersecurity Risk with the Framework’  which details how organisations can understand, asses and measure their risk and actions.


Supply Chain Risk Management and Buying Decisions

Section 3.3 ‘Communicating Cybersecurity Requirements with Stakeholders’ has been expanded to make Cyber Supply Chain Risk Management (SCRM) easier to understand. NIST has also added a section on Buying Decisions (3.4) to highlight how organisations can use the Cybersecurity Framework to understand the risks of buying off-the-shelf commercial products and services.

New Cyber Supply Chain Risk Management criteria has been added to the Implementation Tiers and a Supply Chain Risk Management Category, (including multiple Subcategories), has been added to the Framework Core.


Authentication, authorisation, and identity proofing

In the Access Control Category, the language has been updated to make it clearer that authentication, authorization, and identity proofing is being taken into account. This means that one Subcategory has been added for each, and has been renamed to ‘Identity Management and Access Control (PR.AC).


The relationship between Implementation Tiers and Profiles

Section 3.2 ‘Establishing or Improving a Cybersecurity Program’ has been updated with information on using Framework Tiers in Framework implementation. The below graphic from NIST illustrates actions from the Framework Tiers.


Consideration of Coordinated Vulnerability Disclosure

Finally, NIST has added a new subcategory that details the vulnerability disclosure lifecycle. Users of the Cybersecurity Framework are still encouraged to customise the flexible framework based on their organisation’s needs and scope.

Webcast: Cybersecurity Framework Version 1.1 Overview

ISMS.online can help you with that