Last month, NIST released its long-awaited Version 1.1 of the Cybersecurity Framework (CSF).

According to the NIST website: “This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.”

California government departments abide by NIST 800-171 for all software-as-a-service offerings. State Deputy CIO Chris Cruz told Techwire on May 8 that NIST requirements are limited to SaaS since the data is usually associated with software licenses. This release coincides with California's efforts to grade department cybersecurity efforts, according to Peter Liebert, CISO for the state.

Recent NIST details include:

  • Version 1.1 of the Framework was published on April 16. The document has evolved to be even more informative, useful and inclusive for all kinds of organizations. Version 1.1 is fully compatible with Version 1.0 and remains flexible, voluntary and cost-effective. Among other refinements and enhancements, the document provides a more comprehensive treatment of identity management and additional description of how to manage supply chain cybersecurity.  
  • The recorded version of the April 27 webcast is available.
  • Success Stories regarding Framework use/Implementation have been added to the website! Our first Success Story comes from the University of Chicago, check it out HERE!
  • Start Using the Baldrige Cybersecurity Tool: Here's Help. Learn how the Information Security Team of the University of Kansas Medical Center (KUMC) began using the Baldrige Cybersecurity Excellence Builder (BCEB) — which is a voluntary self-assessment tool based on the Cybersecurity Framework.

Industry Response to Cybersecurity Framework

Rather than just another business-as-usual update, this new version of the Cybersecurity Framework has received roaring approval around the nation and the world. Wherever I travel, I hear about more and more organizations that have implemented, or are or will be implementing this approach to protect their critical systems and networks and people. 

Here are just a few of the helpful articles that highlight the growing influence of this plan:

  • CSO magazine: The rise of the NIST cybersecurity framework
  • ThreatPost: NIST Updates Cybersecurity Framework to Tackle Supply Chain Threats, Vulnerability Disclosure and More
  • Security Boulevard: NIST Updates Cybersecurity Framework
  • CSO Online Opinion: Implementing the NIST cybersecurity framework could be worth at least $1.4m to your business
  • Health Data Management: How providers can implement the NIST cybersecurity framework

Final Thoughts  

Once again, I urge readers to take a close look at the new Cybersecurity Framework, and how it can be adopted by your enterprise. The new CSF Version 1.1 has been several years in the making, and if you already use the CSF, you probably want to tweak your approach and/or policies and procedures using the updates.

In addition, I like the fact that the CSF covers people, process and technology — this is not just about technology and process. There are new sections on self-assessing cybersecurity risk.

This paragraph from page v of the executive summary sums the CSF up well:

“While this document was developed to improve cybersecurity risk management in critical infrastructure, the Framework can be used by organizations in any sector or community. The Framework enables organizations — regardless of size, degree of cybersecurity risk, or cybersecurity sophistication — to apply the principles and best practices of risk management to improving security and resilience.”

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author. He has served in the public and private sectors in IT leadership , and he led Michigan's cybersecurity and technology infrastructure teams from May 2002 to August 2014, and has held Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan. He currently serves as the Chief Security Officer and Chief Strategist for Security Mentor Inc.