NIST Hosts Webcast on Latest Cybersecurity Framework Draft

December 21, 2017

On December 20, 2017, the National Institute of Standards and Technology (NIST) hosted a webcast on Version 1.1 Draft 2 of the NIST Cybersecurity Framework. NIST released Version 1.1 Draft 2 and its accompanying Roadmap on December 5, 2017. Our summary can be found here.

The Framework seeks to provide “a prioritized, flexible, repeatable, performance-based, and cost-effective approach to managing cybersecurity risk at all levels in an organization and is applicable to organizations of all sizes and sectors.” With Version 1.1, NIST hopes to cause as little disruption as possible to current Framework implementation.

Part One: Framework Overview

The first half of the webcast provided a broad overview of the Framework and its history. NIST released Version 1.0 of the Framework on February 12, 2014. It issued an update–Version 1.1 Draft 1–on January 10, 2017. Version 1.1 is meant to refine, clarify, and enhance Version 1.0. We have previously analyzed Version 1.0 and Version 1.1 Draft 1.

Matt Barrett, Program Manager for the NIST Cybersecurity Framework, described the Framework’s structure and how organizations utilize the document. He noted that the Framework is gaining traction internationally and is already used in various countries around the world. For example, Bermuda’s government uses the Framework and recommends that industry do the same. The Framework has been translated to Japanese, Italian, and Hebrew. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are also examining the Framework, and they may publish a related technical report in the future.

Part Two: Framework Version 1.1 Draft 2

The second half of the webcast discussed changes to the Framework in Version 1.1 Draft 2. NIST intends for Draft 2 to clarify, refine, and enhance the original version of the Framework. The Draft’s updates are derived from feedback since publication of Framework Version 1.0 and Version 1.1 Draft 1. Stakeholders have submitted feedback through comments, workshops, and various NIST outreach engagements.

Mr. Barrett said that the feedback has prioritized Framework clarity. Stakeholders do not want a complete overhaul of the Framework and have emphasized the need for compatibility with Version 1.0. He noted the major changes in Draft 2, which include:

  • Guidance for Self-Assessment using the Framework;
  • Guidance on how to apply the Framework to Supply Chain Risk Management;
  • The inclusion of Authorization, Authentication, and Identity Spoofing in the Framework Core;
  • The inclusion of Coordinated Vulnerability Disclosure in the Framework Core; and
  • Refined Tier criteria and increased clarity of the implementation Tiers.

The revised Roadmap is meant to identify key areas of further development, alignment, and collaboration. Mr. Barrett discussed specific revisions to the Roadmap, which we explore in depth in our analysis of Version 1.1 Draft 2.

Public comments on Version 1.1 Draft 2 are due January 19, 2018. Comments may be submitted to cyberframework@nist.gov. NIST intends to publish the final Framework Version 1.1 in early 2018 and will hold a workshop in 2018, on a to-be-determined date.

***

For years, Wiley Rein has been actively engaged with NIST on cybersecurity. We have advised numerous companies on how evolving cybersecurity expectations will impact them, including concerns related to regulatory obligations, consumer communications, and government contract provisions.

We are happy to answer questions you may have.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek