On 16 April, 2018, the National Institute of Standards and Technology (NIST) published Version 1.1 of the “Framework for Improving Critical Infrastructure Cybersecurity” (Framework), which updated the original version published in 2014. The Framework, developed through a collaborative effort involving stakeholders from government, industry, and academia, is a voluntary guidance based on existing standards, guidelines, and practices. It provides a flexible, repeatable and cost-effective approach for organizations to identify, manage and assess cybersecurity risks, prioritize cybersecurity resources, make risk decisions and take action to reduce risk. It also enhances cybersecurity communication within an organization and with other organizations (such as partners, suppliers, regulators and auditors).
While the Framework was designed for companies that are considered U.S. critical infrastructure, NIST and business groups agree that any company or organization can utilize the Framework in managing cybersecurity risks. As stated in the Executive Summary of the new version, “The Framework enables organizations — regardless of size, degree of cybersecurity risk, or cybersecurity sophistication — to apply the principles and best practices of risk management to improving security and resilience.”
And business and industry groups fully agree.
The U.S. Chamber of Commerce called it “a pillar for managing enterprise cyber risks and threats,” and remarked that “(t)he Framework enables organizations—regardless of their size, risk profile, or cyber sophistication—to develop a plan from scratch or improve an existing one."
Similarly, the Business Roundtable stated that “(t)he Framework provides companies of all sizes with a flexible approach to evaluate their cybersecurity posture as threats and vulnerabilities evolve…. The Framework provides a solid baseline for cybersecurity risk management practices.”
Finally, the Information Technology Industry Council, called it “a great tool that allows you to measure your cyber capabilities, your risks, it allows you as an organization to figure out where you need to move to improve your cyber posture.”
As requested by Framework commenters, NIST is also seeking to provide interested parties with success stories of organizational use of the Framework to explain and show how organizations have specifically used the Framework to improve their cybersecurity risk management. NIST also is developing modules on lessons learned and, as noted, continues to make sure the Framework can be effectively utilized by companies and organizations outside the critical infrastructure sectors.
No matter what the extent or degree of maturity of your organization’s cybersecurity programs, cybersecurity commentators are universally recommending that it is worth taking a look at the new version of the Framework.