*This article first appeared on Law360 on April 17, 2018
On April 17, the National Institute for Standards and Technology (NIST) released an updated version of its standard-setting Cybersecurity Framework. Commerce Secretary Wilbur Ross announced the new release with a statement saying the “Cybersecurity Framework should be every company’s first line of defense” and “adopting version 1.1 is a must do for all CEO’s.” Version 1.1 is dated April 16, 2018.
The new version focuses substantially more on supply chain risks and management than the prior iteration, and also stresses the importance of focusing on: effective internal communications among technical and non-technical personnel, threat intelligence and information sharing, as well as increased collaboration with relevant outside parties.
Significantly, version 1.1 adds important material regarding cybersecurity “governance,” including heightened attention to integrated risk management and budgeting by senior executives; the importance of senior cybersecurity and non-cybersecurity executives communicating regularly regarding cybersecurity risk; and, the responsibility of senior executives ensuring consideration of cybersecurity through all lines of operation in the organization.
As with the first version of NIST’s Cybersecurity Framework, all companies should review the new version, determine its potential utility, and consider adopting, adapting or comparing the new Framework for use within their own cyber ecosystems. Boards of Directors should also be generally familiar with the Framework, and encourage management to discuss potential application or implications of the document for addressing their companies’ own cyber risks.
The Framework was originally developed to focus on energy, banking, communications, and defense sectors, but has been adopted voluntarily by a much broader group of companies and government agencies. The revision process began in 2015, and involved extensive public engagement with interested parties, two draft publications, over two hundred comments and over 1200 participants in workshops conducted in 2016 and 2017.
Like its predecessor, the new Framework adopts a practical, flexible and cost-conscious approach. For example, the revised introduction notes that “similar to financial and reputational risks, cybersecurity risk affects a company’s bottom line. It can drive up costs and affect revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. Cybersecurity can be an important and amplifying component of an organization’s overall risk management.”
NIST identifies the following topics as the subjects of the most significant updates in version 1.1:
- authentication and identity,
- self-assessing cybersecurity risk,
- managing cybersecurity within the supply chain and
- vulnerability disclosure.
NIST provides a link to the new version that is marked-up to show redlined changes from version 1.0, including a summary chart of changes made between versions 1.0 and 1.1.
The new document stresses that the Framework is primarily “a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements” rather than a means to establish compliance with a defined set of external standards. The revised version explains the Framework’s utility to different organizations as providing a flexible way to address cybersecurity including physical and “people” dimensions, as well as IT systems, industrial control systems, and Internet of Things (IoT) devices.
Version 1.1 also acknowledges that the concept of “compliance” with the voluntary provisions and flexible standards of the Framework is incongruous, and “can be confusing and mean something very different to various stakeholders.” NIST presumably highlights this metaphysical tension in order to emphasize that the Framework is “not a one-size-fits-all approach to managing cybersecurity risk,” and that companies have “unique risks – different threats, different vulnerabilities, different risk tolerances.” The Framework affirmatively encourages organization to customize their practices under the Framework rather than impose the Framework lock, stock and barrel.
The significant new material in version 1.1 includes detailed consideration of supply chain risks. The revised Framework indicates that the primary objective supply chain risk management (SCRM) is to identify, assess, and mitigate the risk of products and services that “may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain.” Highlighted SCRM activities may include setting cybersecurity requirements for suppliers, specifying cybersecurity requirements through contracts, telling suppliers how those cybersecurity requirements will be verified and validated, and verifying that cybersecurity requirements are satisfied through appropriate assessment methodologies.
Other key new areas developed in the revised Framework include threat intelligence and information sharing and enhanced internal communications. The new document encourages organizations to understand their role in the larger cyber ecosystem and should consider collaboration and information sharing. With regard to intra-organization information sharing, version 1.1 suggests that senior cybersecurity and non-cybersecurity executives should communicate regularly regarding cybersecurity risk.
Significantly, the revised Framework recommends that “senior executives monitor cybersecurity risk in the same context as financial risk and other organizational risks. The organizational budget is based on an understanding of the current and predicted risk environment and risk tolerance.”
In the closing pages of the document, the new framework adds a new definition for “cybersecurity incident” on top of the prior definition for “cybersecurity event.” Accordingly, version 1.1 now contains these two definitions (emphases added):
|· “Cybersecurity Event:||A cybersecurity change that may have an impact on organizational operations (including mission, capabilities, or reputation).”|
|· “Cybersecurity Incident:||A cybersecurity event that has been determined to have an impact on the organization prompting the need for response and recovery.”|
Based on the new nomenclature, the hierarchy of cyber occurrences in increasing order of seriousness are: cyber changes, events, and incidents. “Events” prompt the need for investigation, assessment and judgment. “Incidents” prompt the need for response and recovery. The document does not define or even use the term “breach.”
In all, NIST has once again produced a useful, flexible document that can be applied or adapted, in whole or in part, voluntarily, by a wide range of companies. The document remains free of prescriptive language and ideological content. It does not re-invent cybersecurity wheels. Rather, it identifies and correlates a broad range of existing standards developed previously by NIST, or by other private standard-setting bodies like ISO or COBIT. The document is still easy to read, and should be entirely accessible to executives, directors and non-technical personnel. Bravo NIST and the Department of Commerce!