Federal scientists at the government’s technology laboratory have issued a draft update to their widely adopted Cybersecurity Framework, adding for the first time a way of quantifying risk and security outcomes.
Other changes proposed Tuesday by the National Institutes of Standards and Technology include the addition of more detailed use cases and an agreed vocabulary on supply chain risk management; and the addition of identity management.
At the direction of an executive order from President Obama, NIST published version 1.0 of the framework back in February 2014 following consultations with industry, academia and government agencies.
They’ve been collecting feedback and suggestions for changes and enhancements almost ever since.
“We wrote this update to refine and enhance the original document and to make it easier to use,” said Matt Barrett, NIST’s program manager for the Cybersecurity Framework. “This update is fully compatible with the original framework,” and those currently using 1.0 should be able to implement the new version seamlessly.
Version 1.1 incorporates feedback including comments in response to NIST’s December 2015 Request for Information; questions frequently asked of NIST staff; and comments from 800 attendees at the April 2016 Cybersecurity Framework Workshop at the NIST campus in Gaithersburg, Maryland.
One area where businesses have asked for more detail is in regard to third-party or supply chain risk management. In a web post, NIST officials said the authors had developed a defined vocabulary so all parties to a supply chain or a business deal “can clearly understand cybersecurity needs.”
The framework, a high-level technical document, breaks cybersecurity down into five functions: identify, protect, detect, respond and recover. Each of those is further broken down into three to six categories — 23 in all — including things like “Risk Assessment,” “Awareness and Training” and “Response Planning.”
The draft adds “Supply Chain Risk Management” as a new category under the identify function; and renames “Access Control” as “Identity Management and Access Control,” to better reflect the real nature of the task.
The draft also clarifies and expands the definitions of some terms used in that category like “authentication” and “authorization.”
But it is the addition of a system for quantifying risk and security outcomes that is likely to prove most controversial — although officials stress it is a draft.
“In the update we introduce the notion of cybersecurity measurement to get the conversation started,” Barrett said. “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.”
The draft is open for public comment until April 10.