On December 5, 2017, NIST published a revised version of the NIST Cybersecurity Framework (i.e., Draft 2 of Version 1.1) (“Framework”). According to NIST, Version 1.1 of the Framework refines, clarifies, and enhances Version 1.0 of the Framework issued in February 2014, and the recently published Draft 2 of Version 1.1 is informed by over 120 comments on the first draft proposed in January 10, 2017, as well as comments and discussion by attendees at NIST’s workshop in May 2017.
Among the various revisions, they include revisions intended to: (1) clarify and revise cybersecurity measurement language; (2) clarify the use of the Framework to manage cybersecurity within supply chains; (3) better account for authorization, authentication, and identity proofing; (4) better consider coordinated vulnerability disclosure, including the addition of a subcategory related to the vulnerability disclosure lifecycle; and (5) remove statements related to federal applicability in light of various intervening policies and guidance (e.g., Executive Order 13800, OMG Memorandum M-17-25, and Draft NIST Interagency Report (NISTIR) 8170) on federal use of the Framework.
NIST seeks public comment on the following questions by January 19, 2018:
-
Do the revisions in Version 1.1 Draft 2 reflect the changes in the current cybersecurity ecosystem (threats, vulnerabilities, risks, practices, technological approaches), including those developments in the Roadmap items?
-
For those using Version 1.0, would the proposed changes affect their current use of the Framework? If so, how?
-
For those not currently using Version 1.0, would the proposed changes affect their decision about using the Framework? If so, how?
Feedback and comments should be directed to cyberframework@nist.gov.
To view a markup (.pdf) of the revised draft Framework, click here.
To view a clean version (.pdf) of the revised draft Framework, click here.
To view the draft roadmap (.pdf), click here.
To view the draft Framework Core (.xls), click here.
