NIST’s Second Draft of Version 1.1 of the Cybersecurity Framework Would Apply to IoT Devices
December 6, 2017
On December 5, 2017, NIST released the much-anticipated second draft of its Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (Framework Version 1.1 Draft 2 or Draft 2), along with a draft companion Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1 (Roadmap), and a Fact Sheet on the proposed update. Among other high-level updates discussed below, NIST has added language extending the applicability of Framework Version 1.1 to Internet of Things (IoT) devices.
NIST originally published the Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 (Framework Version 1.0) in February 2014. The Framework Version 1.1 is meant to refine, clarify, and enhance that original document. With this update, NIST is striving to cause as little disruption to implementation of the Framework as possible—meaning that current users of the Framework Version 1.0 should be able to easily implement Framework Version 1.1.
In January 2017, NIST released its Framework Version 1.1 Draft 1 (Draft 1). In response, it received over 120 comments. Additionally, NIST hosted a two-day Workshop in May 2017 to discuss Draft 1. NIST’s initial analysis of comments and Workshop summary are linked here. Draft 2 is intended to reflect the feedback which NIST received.
NIST’s Workshop summary also highlighted the topic of IoT. Specifically, it noted that emerging threats in the IoT ecosystem “highlight the pressing need to develop and apply guidance to maintain the cybersecurity of devices…” NIST summarized that the three most common IoT-related suggestions of workshop participants were to: (1) include IoT in future Framework updates; (2) create Framework Profiles for federal use cases; and (3) use a Framework-like approach of convening the public and private sectors to collaboratively create an IoT-specific document.
Framework Version 1.1 Draft 2 Broadens the Scope of the Framework to Include IoT
Draft 2 extends the Framework’s application to IoT devices. In Draft 2, NIST updates the scope of technologies covered by the Framework to “reflect security implications of a broadening use of technology.” Draft 2 notes that members of each critical infrastructure sector perform functions supported by broad categories of technology, “including information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), and connected devices more generally, including the Internet of Things (IoT).” While CPS was added in Draft 1, the application to IoT devices in Draft 2 is new. NIST elaborates that the “reliance on technology, communication and interconnectivity has changed and expanded the potential vulnerabilities and increased potential risk to operations.”
Other High-Level Updates
Draft 2 also makes several other key updates to Draft 1, including:
- Cybersecurity Measurements: NIST revises its new section on cybersecurity measurements significantly. It truncates the discussion, cutting it from four pages in Draft 1 to just over one page in Draft 2. It also re-titles the section to have a focus on self-assessment and revises the body of the section to emphasize the correlation of business results to cybersecurity risk management.
- Supply Chain Risk Management: NIST refines its addition of Supply Chain Risk Management (“SCRM”) from Draft 1, clarifying the section on communicating risks with stakeholders and incorporating that information into the Implementation Tiers.
- Authorization, Authentication, and Identity Proofing: NIST adds a subcategory to the PR.AC category, which it broadened in Draft 1 from “Access Control” to “Identity Management, Authentication and Access Control.” The new authentication subcategory also provides a number of authentication Informative References. Draft 2 further highlights authentication in the document, adding a reference to authentication in the Privacy and Civil Liberties section.
- Coordinated Vulnerability Disclosures: NIST adds a new subcategory to the RS.AN—Respond Analysis—category; the new subcategory regards internal and external vulnerability disclosure programs. Specifically, “RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers).” NIST also provides a number of vulnerability disclosure Informative References.
- Federal Alignment: Draft 1 had added a section regarding Federal Alignment, specifically detailing requirements of federal information systems. However, NIST removes that section in Draft 2, explaining that such statements are covered by other documents—including NISTIR 8170—and therefore are not needed in the Framework.
NIST first published a companion Framework Version 1.0 Roadmap in 2014. Like that document, the newly published draft Framework Version 1.1 Roadmap “provides a description of anticipated future activities related to the Framework and offers stakeholders another opportunity to participate actively in the continuing Framework development process.” Updates to the Roadmap for Version 1.1 include:
- Cyber-Attack Lifecyle
- Measuring Cybersecurity
- Referencing Techniques
- Small Business Awareness and Resources
- Governance and Enterprise Risk Management
Note that with the Cyber-Attack Lifecycle section, NIST adds a subsection focusing on coordinated vulnerability disclosure. Also note that the Measuring Cybersecurity section has been added as a Roadmap item, indicating that NIST still has the desire to update the newly-added Self-Assessment section of Draft 2.
In addition, NIST describes that it has re-named three sections:
- Authentication has been renamed to be Identity Management “to account for a broader range of important technical topics including authorization and identity proofing.”
- Technical Privacy Standards has been renamed to be Privacy Engineering “to better align with the concepts in related NIST publications such as Interagency Report 8062 - An Introduction to Privacy Engineering and Risk Management in Federal Systems.”
- Conformance Assessment has been renamed to be Confidence Mechanisms “to reflect a broader range of activities that instill digital trust.”
Next Steps and Timeline
Public comments on Framework Version 1.1 Draft 2 are due January 19, 2018. NIST intends to publish the final Framework Version 1.1 in early 2018.