Proposed Updates to Cybersecurity Framework

Cybersecurity Framework Frequently Asked Questions

PROPOSED UPDATES TO CYBERSECURITY FRAMEWORK

49. Why is NIST proposing to revise the Cybersecurity Framework now?
50. How did NIST determine features for this update?
51. What changes are included in the proposed revision?
52. What does this mean for organizations that already have incorporated the current Framework?
53. Should organizations use the new, draft version or should they wait until it is formally changed?
54. Will comments provided to NIST be made public, and when will the changes become final? Will there be a public forum for discussion of these proposed changes?
55. What assistance will NIST provide to organizations that choose to incorporate the additional content and functionality of the new version of the Framework?
56. Once this updated version is finalized, how often will NIST update the Framework?
57. Were there changes proposed to the Framework in light of progress made in areas identified in the 2014 Roadmap?

PROPOSED UPDATES TO CYBERSECURITY FRAMEWORK

49. Why is NIST proposing to revise the Cybersecurity Framework now?
A.  Generally, feedback from the December 2015 RFI indicated Cybersecurity Framework (the Framework) stakeholders are ready for some refinement and clarification in the form of an update. NIST has expressed the notion of periodic updates since Framework development work began in February 2013. NIST is proceeding with an update per our roleThe Cybersecurity Enhancement Act of 2014 (Public Law 113-274) calls on NIST to facilitate and support the development of voluntary, industry-led cybersecurity standards and best practices for critical infrastructure. Framework updates have been expressed as a normal modus operandi since NIST began working on the Framework in February 2013.

50. How did NIST determine features for this update?
A.  Framework stakeholders provided feedback to NIST through: a December 2015 Request for Information, lessons learned from Framework use, shared resources from industry partners, and an April 2016 Cybersecurity Framework workshop. NIST also considered feedback received through meetings and events since the release of Framework Version 1.0, as well as advances made in areas identified in the Roadmap issued in February 2014 when the Framework was initially published.

51. What changes are included in the proposed revision?
A. The draft revision (Version 1.1):

• Clarifies use of Implementation Tiers and their relationship to Profiles,
• Enhances guidance for applying the Framework for supply chain risk management,
• Provides guidance on metrics and measurements using the Framework,
• Adds the concept of identity proofing and expands authorization, and
• Updates FAQs to support understanding and use of Framework.

52. What does this mean for organizations that already have incorporated the current Framework?
A. The Framework update (V1.1) is intended to be fully compatible with V1.0.  Either version may be used. NIST recommends that organizations incorporate the additional content and functionality of V1.1 once it is finalized, but decision and timing are up to the individual organization. This is a voluntary framework.

53. Should organizations use the new, draft version or should they wait until it is formally changed?
A.  Each organization should review the proposed changes and decide if there are provisions that will benefit them right away, or whether they should wait until changes are final.  At a minimum, every organization is encouraged to review the proposed update. NIST encourages reviewers to comment on this draft update. It is noteworthy that stakeholder opinion on the proposed updates in the comment period (open through 10 April 2017) and at the upcoming workshop (May 2017, dates TBD) stands to significantly shape Version 1.1 of Framework.  There could be substantive changes between the draft and final versions.

54. Will comments provided to NIST be made public, and when will the changes become final? Will there be a public forum for discussion of these proposed changes?
A.  Using the Cybersecurity Framework website, NIST will publish all comments received in response to the January 25, 2017, Federal Register notice. NIST anticipates publishing a final V1.1 in the fall of 2017 after considering all comments received.  NIST is planning a mid-late May 2017 workshop to discuss comments about the proposed update. That workshop also will explore user experiences and Framework-related areas that continue to need greater attention by the private and public sectors.

55. What assistance will NIST provide to organizations that choose to incorporate the additional content and functionality of the new version of the Framework?
A. NIST will continue to educate organizations through both NIST-hosted and other events. NIST will regularly update its web-based FAQs, presentations, and Industry Resources page that offers information about how organizations are using or citing the Framework. NIST also will continue to respond to questions it receives at: cyberframework [at] nist.gov (cyberframework[at]nist[dot]gov)

56. Once this updated version is finalized, how often will NIST update the Framework?
A. Decisions about the timing of updates will be made based on user experiences, technological advances, and standards innovations. Updates similar to the current proposal will likely occur no more frequently than every other year.

57. Were there changes proposed to the Framework in light of progress made in areas identified in the 2014 Roadmap?
A. Yes. The most notable changes are related to Supply Chain Risk Management, where multiple provisions have been added, including a new category in the Framework Core and a new property within Implementation Tiers. Additional provisions related to identity management and access control have been included in the proposed update. Also, statements about Federal agency Framework are included in the proposed update. Informative References also have been updated, reflecting the advancement of standards and guidelines by private and public sector organizations.