Pursuant to Executive Order 13636, the National Institute of Standards and Technology (“NIST”) established the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, a technology-neutral, voluntary, risk-based cybersecurity framework that includes standards and processes intended to align policy, business, and technological approaches to addressing cybersecurity risks.  Four years later, NIST has released an updated version of the Framework.

Prior to releasing this update, NIST to get a better understanding of how companies were using the Framework, released a draft of the revised Framework for public comment, and held a public webcast to discuss the updates to the Framework.  The key updates in Version 1.1 are summarized below.

• Explicitly expanded the applicability of the Framework outside of critical infrastructure: Version 1.1 states that the Framework is useful for addressing cybersecurity for any company relying on technology, “whether their cybersecurity focus is primarily on information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), or connected devices more generally, including the Internet of Things (IoT).”

• Explained how to use the Framework for organizational self-assessment: Version 1.1 adds a new section that guides companies on how to use the Framework to understand and assess their cybersecurity risk, including how to choose and deploy performance metrics to measure progress or flag issues.

• Enhanced guidance for applying the Framework to supply chain risk management: Version 1.1 added Supply Chain Risk Management to the Framework Core (a set of cybersecurity activities, outcomes, and informative references that are common across sectors).  Cyber supply chain risk management focuses on identifying, assessing, and mitigating acquired products and services that may contain malicious functionality, be counterfeit, or have critical vulnerabilities as a result of poor manufacturing practices.

• Added definition of “Cybersecurity Incident”: Version 1.1  adds a definition of Cybersecurity Incident as distinguished from a Cybersecurity Event.  “Cybersecurity Incident” is defined as “[a] cybersecurity event that has been determined to have an impact on the organization prompting the need for response and recovery.”  The term “Cybersecurity Event” (“cybersecurity changes that may have an impact on organizational operations”) remains in the Framework.  As a result, Version 1.1 more precisely differentiates between cybersecurity issues that may impact an organization and those that actually impact the organization.  This distinction may help companies when implementing detection and recovery functions.

• Refined authorization, authentication, and identity proofing: Version 1.1 renames the “Access Control” category to “Identity Management and Access Control” and adds subcategories for identity verification and authentication commensurate with the risk of the transaction.

• Clarified confusion around the term “compliance”: Version 1.1 clarifies that, as used in the Framework, the term “compliance” refers to using the Framework to organize a company’s compliance with its own internal cybersecurity requirements; there is no ultimate “compliance with the Framework.”

The changes made in Version 1.1 are intended to be “fully compatible” with Version 1.0.  Companies that have already incorporated Framework Version 1.0 are encouraged to implement the additional content as appropriate.  Companies new to the Framework should follow Version 1.1.