NIST Is Finalizing Its Cybersecurity Framework Manufacturing Profile

April 13, 2017

The National Institute of Standards and Technology (“NIST”) recently released the final draft of its Cybersecurity Framework Manufacturing Profile—a document dealing with the desired cybersecurity outcomes and posture for manufacturing systems.  The breadth of the document is wide, encompassing any sort of manufacturer, including makers of electronic devices and consumer technology.  The Manufacturing Profile flows out of NIST’s ongoing Cybersecurity Framework work. 

Since releasing version 1.0 of the Framework in 2014, NIST has engaged in and encouraged a variety of activities—from conducting workshops to developing tools—to help organizations that voluntarily choose to implement the flexible Framework.  Profiles are one such tool.  Just like the Framework, profiles give organizations a voluntary, risk-based option to manage cyber risk.  But unlike the Framework, profiles do a deep dive into a given industry or organization.  For example, the Manufacturing Profile outlines specific business objectives for manufacturing systems, aligns the Framework’s subcategories to those objectives, and details the subcategories as they specifically apply to manufacturing.  NIST helped to create a similar tool with the United States Coast Guard for the Maritime Bulk Liquids Transfer area.

NIST released this final Manufacturing Profile during the open comment period for its overall update to the Framework, with the comments for each being due back-to-back.  NIST has proposed the Framework version 1.1, which among other things, would add sections to the Framework regarding Supply Chain Risk Management (SCRM) and metrics.  Comments for the Framework version 1.1 were due April 10; comments for the Manufacturing Profile are due Monday, April 17. 

The Manufacturing Profile may offer guidance to manufacturers of high tech equipment, including Internet of Things devices.  A few examples include:

  • External information sharing. The expectation that manufacturers will “[c]ollaborate and share information about potential vulnerabilities and incidents on a timely basis” and “[e]stablish and maintain ongoing contact with security groups and associations, and receive security alerts and advisories.” ID.RA.2. Given recent promotion of vulnerability disclosure programs, or “bug bounties,” companies should consider what external collaboration they are willing to engage in.

  • NIST also notes that supply chains can be complex, as “[s]upporting services include, for example, Telecommunications, engineering services, power, water, software, tech support, and security.” Manufacturing Profile at 50. When it comes to supporting services, NIST expects that manufacturers with mature cyber postures will “[p]rotect against supply chain threats to the manufacturing system, system components, or system services by employing security safeguards as part of a comprehensive, defense-in-depth security strategy.” ID.BE.1.

Because manufacturers can be large or small, low-or high-tech, companies making products for consumers or others should consider the government’s evolving expectations and guidance when it comes to security.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek