The National Institute of Standards and Technology (NIST) has issued its first round of revisions to the Framework for Improving Critical Infrastructure Cybersecurity (commonly known as the Cybersecurity Framework).
Sections have been added or updated to explain things like how to measure the results of your cybersecurity metrics, how to better account for identity management and access control, and how to properly manage cyber supply chain risks.
“We wrote this update to refine and enhance the original document and to make it easier to use,” says Matt Barrett, NIST’s program manager for the Cybersecurity Framework, in a press release. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”
The addition of section 4.0 Measuring and Demonstrating Cybersecurity is one of the largest revisions to the framework, which is to be used as the starting point for comprehensive measurement and analysis. The goal is to be able to correlate your cybersecurity initiatives withyour business objectives, with quantifiable cause-and-effect results and measurements.
“In the update we introduce the notion of cybersecurity measurement to get the conversation started,” Barrett says, adding, “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion."
A summary of these measurements and metrics is outlined within the framework in this table:
It's important for an organization to assign these measurements to specific individuals; for example, an operations manager might be tasked with data protection, and would therefore be measured on how well that data as protected.
Changes to this document were gathered from feedback and frequently asked questions after the original draft was published in February of 2014.
NIST is asking for your feedback and comments on these revisions as well. You can submit them to cyberframework@nist.gov by April 10th, 2017.
