The National Institute of Standards and Technology (NIST)’s Framework for Improving Critical Infrastructure Cybersecurity, also known as the Cybersecurity Framework, continues to be a popular choice among implemented security frameworks. In fact, 70% of organizations view the framework as a security best practice. The Framework is consistently referenced in cybersecurity guidance released by major maritime industry stakeholders, such as IMO, BIMCO and the U.S. Coast Guard. Initially published in February 2014 as the result of a presidential executive order, the main objective of the Cybersecurity Framework is to provide public and private sector organizations with “a set of industry standards and best practices to help organizations manage cybersecurity risks.” The resulting Framework, created through collaboration between the government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.
NIST recently released Version 1.1 of the Cybersecurity Framework, which incorporates feedback received from public comments and workshops during 2016 and 2017. Version 1.1 includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure. The new version adds a section explaining how the Framework can be used by organizations to understand and assess their cyber risk and sections on risks associated with the supply chain and purchasing commercial off-the-shelf products and services. The following table provides a summary of changes between Version 1.0 and Version 1.1:
|Update||Description of Update|
|Clarified that terms like “compliance” can be confusing and mean something very different to various Framework stakeholders||Added clarity that the Framework has utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements. However, the variety of ways in which the Framework can be used by an organization means that phrases like “compliance with the Framework” can be confusing.|
|A new section on self-assessment||Added Section 4.0 Self-Assessing Cybersecurity Risk with the Framework to explain how the Framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements.|
|Greatly expanded explanation of using Framework for Cyber Supply Chain Risk Management purposes||An expanded Section 3.3 Communicating Cybersecurity Requirements with Stakeholders helps users better understand Cyber Supply Chain Risk Management (SCRM), while a new Section 3.4 Buying Decisions highlights use of the Framework in understanding risk associated with commercial off-the-shelf products and services. Additional Cyber SCRM criteria were added to the Implementation Tiers. Finally, a Supply Chain Risk Management Category, including multiple Subcategories, has been added to the Framework Core.|
|Refinements to better account for authentication, authorization, and identity proofing||The language of the Access Control Category has been refined to better account for authentication, authorization, and identity proofing. This included adding one Subcategory each for Authentication and Identity Proofing. Also, the Category has been renamed to Identity Management and Access Control (PR.AC) to better represent the scope of the Category and corresponding Subcategories.|
|Better explanation of the relationship between Implementation Tiers and Profiles||Added language to Section 3.2 Establishing or Improving a Cybersecurity Program on using Framework Tiers in Framework implementation. Added language to Framework Tiers to reflect integration of Framework considerations within organizational risk management programs. The Framework Tier concepts were also refined. Updated Figure 2.0 to include actions from the Framework Tiers.|
|Consideration of Coordinated Vulnerability Disclosure||A Subcategory related to the vulnerability disclosure lifecycle was added.|
To view the Version 1.1 report in its entirety, click here. NIST also plans to release an updated Roadmap for Improving Critical Infrastructure Cybersecurity later this year as a companion to the framework.
“There’s a lot to like in the new Framework, but one area where they made big strides is on supply chain risk management,” said David Damato of Tanium in a response to the Fifth Domain. “2017 was the year of the supply chain attack, with attacks from NotPetya to CCleaner originating with a breach of a company’s third-party partner. The increasing attention NIST is bringing to this issue, and the standardized language they offer, will go a long way in helping organizations better understand the risks associated throughout their supply chain.”
Again, the Cybersecurity Framework is a gold standard for cross-sector critical infrastructure cybersecurity guidance across the globe. Gnostech continues to utilize NIST frameworks in addition to sound engineering practices when providing custom cybersecurity engineering services for maritime clients under our SafeHarbor capabilities. The Cybersecurity Framework is a living document that will continue to be updated, and Gnostech will analyze subsequent versions to ensure we are at the forefront of industry best practices to mitigate cyber risk for those in the maritime industry.
About Gnostech Inc.:
Gnostech Inc. is an applied engineering and consulting company with expertise in information assurance and cybersecurity engineering, and major combat and space systems development and integration. For more information, visit www.gnostech.com or stay connected by following us on LinkedIn or @GnostechInc in Twitter.