Photo of Sheila MillarPhoto of Tracy Marshall

On January 10, 2017, the National Institute of Standards and Technology (NIST) released an update to its Cybersecurity Framework, first issued in 2014. The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The new draft provides details on managing cyber supply chain risks, clarifies key terms, and introduces measurement methods for cybersecurity. According to NIST, the new Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 incorporates feedback and suggestions received since 2014, including responses from a December 2015 request for information and comments from attendees of a workshop held in April 2016.

The changes in the latest Framework include a new section on cybersecurity measurement; a more detailed explanation of how to use the Framework for Cyber Supply Chain Risk Management purposes; refinements to better account for authentication, authorization, and identity proofing; and a more thorough explanation of the relationship between Implementation Tiers and Profiles.

NIST is a branch of the U.S. Department of Commerce which provides measurement standards. On February 12, 2013, President Obama issued an Executive Order that called for the development of a risk-based, voluntary set of industry standards and best practices to help organizations manage cybersecurity risks. The Cybersecurity Framework is intended to “help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid,” and was developed in consultation with industry, academia and government agencies. The Cybersecurity Enhancement Act of 2014 calls for NIST to continue its work on the framework.

Details of the changes can be found in Appendix A of the draft Framework. Comments on the draft will be accepted until April 10, 2017, and should be sent to From ransomware attacks to data breaches at major retailers, health care facilities and others, cybercrime continues to present serious threats to businesses across the supply chain. With these growing risks, it is important for businesses in all sectors to monitor best practices and assess, implement, and re-assess security solutions periodically.