Pursuant to Executive Order 13636, the National Institute of Standards and Technology (“NIST”) established the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, a technology-neutral, voluntary, risk-based cybersecurity framework that includes standards and processes intended to align policy, business, and technological approaches to addressing cybersecurity risks. Four years later, NIST has released an updated version of the Framework.

Prior to releasing this update, NIST issued a request for information to get a better understanding of how companies were using the Framework, released a draft of the revised Framework for public comment, and held a public webcast to discuss the updates to the Framework. The key updates in Version 1.1 are summarized below.

  • Explicitly expanded the applicability of the Framework outside of critical infrastructure: Version 1.1 states that the Framework is useful for addressing cybersecurity for any company relying on technology, “whether their cybersecurity focus is primarily on information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), or connected devices more generally, including the Internet of Things (IoT)”.
  • Explained how to use the Framework for organizational self-assessment: Version 1.1 adds a new section that guides companies on how to use the Framework to understand and assess their cybersecurity risk, including how to choose and deploy performance metrics to measure progress or flag issues.
  • Enhanced guidance for applying the Framework to supply chain risk management: Version 1.1 added Supply Chain Risk Management to the Framework Core (a set of cybersecurity activities, outcomes, and informative references that are common across sectors). Cyber supply chain risk management focuses on identifying, assessing, and mitigating acquired products and services that may contain malicious functionality, be counterfeit, or have critical vulnerabilities as a result of poor manufacturing practices.
  • Added definition of “Cybersecurity Incident”: Version 1.1 adds a definition of Cybersecurity Incident as distinguished from a Cybersecurity Event. “Cybersecurity Incident” is defined as “[a] cybersecurity event that has been determined to have an impact on the organization prompting the need for response and recovery.” The term “Cybersecurity Event” (“cybersecurity changes that may have an impact on organizational operations”) remains in the Framework. As a result, Version 1.1 more precisely differentiates between cybersecurity issues that may impact an organization and those that actually impact the organization. This distinction may help companies when implementing detection and recovery functions.
  • Refined authorization, authentication, and identity proofing: Version 1.1 renames the “Access Control” category to “Identity Management and Access Control” and adds subcategories for identity verification and authentication commensurate with the risk of the transaction.
  • Clarified confusion around the term “compliance”: Version 1.1 clarifies that, as used in the Framework, the term “compliance” refers to using the Framework to organize a company’s compliance with its own internal cybersecurity requirements; there is no ultimate “compliance with the Framework”.

The changes made in Version 1.1 are intended to be “fully compatible” with Version 1.0. Companies that have already incorporated Framework Version 1.0 are encouraged to implement the additional content as appropriate. Companies new to the Framework should follow Version 1.1.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.