The National Institute of Standards and Technology (NIST) has released its first draft update (the “Draft Update,” available with and without markup here) to its 2014 Framework for Improving Critical Infrastructure Cybersecurity. The Framework was designed to provide guidance for organizations seeking to enhance cybersecurity relating to critical infrastructure, and has been used by a broad array of organizations to define and achieve cybersecurity goals. The Draft Update was prepared to “refine” the Framework and make it easier to use, according to Matt Barrett, NIST’s program manager for the Cybersecurity Framework.

Release of the Draft Update is made in consideration of comments received by NIST in the years since promulgation of the Framework. The Draft Update revises the Framework to provide additional guidance on addressing supply chain risks and cybersecurity measurement and demonstration methods.

On the topic of supply chain risk management, the Draft Update identifies a primary consideration as “assess[ment] and mitigat[ion] of ‘products and services that may contain potentially malicious functionality, are counterfeit or are vulnerable due to poor manufacturing and development practices within the cyber supply chain.’” (Citing NIST Special Publication 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations, Boyens et al, April 2015, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf.) On this issue, the Draft Update includes guidance on:

• the establishment of security requirements for suppliers (with appropriate communications, enforcement and validation protocols);
• consideration of cybersecurity issues in buying decisions; and
  • means to assess supply chain risk management within the Framework’s traditional Implementation Tiers.

With respect to cybersecurity measurement methods, the Draft Update sets forth a reasonable, realistic approach to cybersecurity measurement, recognizing the needs for effective management of costs, and to correlate cybersecurity measures to business needs. The Draft Update goes on to provide a table of “Types of Framework Measurement” for organizations, including through Practices (“General risk management and behaviors”); Process (“Specific risk management activities”); Management (“Fulfillment of general cybersecurity outcomes”); and Technical (“Achievement of specific cybersecurity outcomes”).

A NIST release concerning the update is available here. The Draft Update is subject to public comment through April 10, 2017, and comments may be submitted to cyberframework@nist.gov. The Framework remains a practical, risk-based guidance document for entities seeking to improve their information security practices, and, as noted by Mr. Barret,  “voluntary and flexible to adaptation.”