Big changes to the National Institute of Standards and Technology’s Cybersecurity Framework, such as the introduction of a section on coordinated vulnerability disclosure, may be pushed off to a future major revision rather than be included in the forthcoming Version 1.1.
That’s the takeaway from a report last week of the NIST public consultation workshop in May, in which the agency lays out plans to complete the overhaul of the popular cybersecurity guide by early next year.
The commitment to “backwards compatibility” — ensuring users of the existing Version 1.0 can employ the new Version 1.1. — means that only smaller tweaks, like the addition of multi-factor identity authentication or new language for Internet of Things risks, can be addressed in the update.
In the report, NIST laid out plans to inch ahead with a number of proposed changes to the draft V1.1 released in January. They include:
- Rewrites to the section on measuring cybersecurity — business leaders wanted it made clear that this was about self-assessment, not audits or legal standards.
- A new subsection in identity and access management — Authentication. Including a three tier description of risk-based authentication methods: “single, multi-factor, continuous.”
- Integration of proposed language on cyber supply chain risk management.
- Removing a section on applying the framework in federal agencies. Under the Trump executive order, that guidance now appears in a separate document. The report hints this might also help in facilitating international adoption of the framework.
- Most radically, “evaluation and possible language updates throughout the document to better accommodate IoT and Industrial Control Systems cybersecurity.”
The report says there was consensus that coordinated vulnerability disclosure, or CVD — where companies create a channel for reporting and fixing bugs in the software they create — was a mature discipline. But some participants nonetheless advocated a “phased integration over multiple iterations of the framework.”
“Some participants suggested framework Version 1.1 was an appropriate venue to introduce CVD. Other participants suggested Version 2.0 might be more suitable for comprehensive inclusion with more time to research the intersection between CVD and the framework.”
The report says NIST will issue a new draft this fall and a final Version 1.1 next year.