NIST to Release Cybersecurity Framework Version 1.1 in Coming Months
The National Institute of Standards and Technology plans to release Version “1.1” of its Cybersecurity Framework this winter, said Framework Program Manager Matthew Barrett during an NTCA conference Monday. NIST has been considering how to modify the existing 2014 framework in response to comments earlier this year from stakeholders who encouraged the agency not to pursue a major revamp of the document (see 1602240065). Others encouraged NIST during the event to first test drive any changes to the framework and ensure any changes are cost-effective for stakeholders.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
NIST's internal “rough draft” of v1.1 already indicates the agency is heeding advice and is only pursuing tweaks to the existing document, Barrett said. “This is not a major overhaul,” he said. “One of the things that we heard proved elusive for folks was what is the relationship between the implementation tiers and the customization of the [framework] core. So we’re going to pull that thread a little bit and clarify that landscape in the updated version.” Barrett said he's working to ensure v1.1 and the original framework are completely compatible.
The Internet Security Alliance continues to believe “whatever update is done ought to be driven by effectiveness metrics,” said President Larry Clinton. “We shouldn't be advocating to do new or different things [with the framework] unless we know those things work.” ISA has been highly supportive of NIST's cybersecurity work but the agency erred in not going through a beta testing phase with the framework in 2014, Clinton said. “We don't have any data, we don't know what works, how well it works, what is cost-effective.”
NIST should develop a cost-effectiveness study of the framework that would help stakeholders voluntarily determine what parts of the framework should be prioritized “based on what the market tells us,” Clinton said. “I’m very concerned,” he said. “Not about NIST, but that the FCC and the FTC are going to take elements of this framework and they’re going to blend it ever more into regulatory methods. And that would be OK if they were cost-effective, but I don't think they’re cost-effective.” Use of the Cybersecurity Framework as a regulatory tool without such a financial review could result in the private sector being “regulated for compliance instead of security,” Clinton said. “We need to be focusing on security, not compliance.”
The FCC Communications Security, Reliability and Interoperability Council provided “practical guidance” in its 2015 report on adapting the NIST framework for the communications sector use -- and particularly to small and medium-sized businesses in the sector, said NTCA Industry and Policy Analysis Manager Jesse Ward. The CSRIC report may appear to be as “daunting” for companies to digest as the original NIST framework, but it contains “a lot of good advice,” Ward said. “You don't want to create a prescriptive list. Boiling security down to that makes things a little too simple, it doesn't address evolving threats.” Companies that are just beginning to use the NIST framework should just “dig into the framework, pick a place and start,” Ward said. “You don't have to start at the top.”