NIST Is Finalizing Its Cybersecurity Framework Manufacturing Profile
The National Institute of Standards and Technology (“NIST”) recently released the final draft of its Cybersecurity Framework Manufacturing Profile—a document dealing with the desired cybersecurity outcomes and posture for manufacturing systems. The breadth of the document is wide, encompassing any sort of manufacturer, including makers of electronic devices and consumer technology. The Manufacturing Profile flows out of NIST’s ongoing Cybersecurity Framework work.
Since releasing version 1.0 of the Framework in 2014, NIST has engaged in and encouraged a variety of activities—from conducting workshops to developing tools—to help organizations that voluntarily choose to implement the flexible Framework. Profiles are one such tool. Just like the Framework, profiles give organizations a voluntary, risk-based option to manage cyber risk. But unlike the Framework, profiles do a deep dive into a given industry or organization. For example, the Manufacturing Profile outlines specific business objectives for manufacturing systems, aligns the Framework’s subcategories to those objectives, and details the subcategories as they specifically apply to manufacturing. NIST helped to create a similar tool with the United States Coast Guard for the Maritime Bulk Liquids Transfer area.
NIST released this final Manufacturing Profile during the open comment period for its overall update to the Framework, with the comments for each being due back-to-back. NIST has proposed the Framework version 1.1, which among other things, would add sections to the Framework regarding Supply Chain Risk Management (SCRM) and metrics. Comments for the Framework version 1.1 were due April 10; comments for the Manufacturing Profile are due Monday, April 17.
The Manufacturing Profile may offer guidance to manufacturers of high tech equipment, including Internet of Things devices. A few examples include:
External information sharing. The expectation that manufacturers will “[c]ollaborate and share information about potential vulnerabilities and incidents on a timely basis” and “[e]stablish and maintain ongoing contact with security groups and associations, and receive security alerts and advisories.” ID.RA.2. Given recent promotion of vulnerability disclosure programs, or “bug bounties,” companies should consider what external collaboration they are willing to engage in.
NIST also notes that supply chains can be complex, as “[s]upporting services include, for example, Telecommunications, engineering services, power, water, software, tech support, and security.” Manufacturing Profile at 50. When it comes to supporting services, NIST expects that manufacturers with mature cyber postures will “[p]rotect against supply chain threats to the manufacturing system, system components, or system services by employing security safeguards as part of a comprehensive, defense-in-depth security strategy.” ID.BE.1.
Because manufacturers can be large or small, low-or high-tech, companies making products for consumers or others should consider the government’s evolving expectations and guidance when it comes to security.