NIST 1.1 tackles cybersecurity metrics, supply chain
NIST 1.1 tackles cybersecurity metrics, supply chain

The second draft of the update to the US National Institute of Standards and Technology's cyber-security framework, NIST 1.1, may prove to be more impactful than the original version released in 2013, Larry Clinton, president and CEO of the Internet Security Alliance (ISA), said Wednesday.

The second draft update is meant “to clarify, refine, and enhance the Cyber-security Framework, amplifying its value and making it easier to use,” according to NIST. Specifically, it brings clarity to cyber-security measurement language and tackles improving security of the supply chain.

Calling the initial NIST CSF “a landmark effort” that delivered “important benefits, such as providing common language for different models” of standards and best practices already in use, Clinton said “it fell short of some of the most critical demands of Presidential Executive Order 13636, which generated its development.”

The current draft, however, moves closer toward reaching those goals.

“To begin with, the new draft makes it clear that our goal is not some undefined metric for use of the Framework, but for effective use of the Framework,” he said. “Moreover, this use-metric needs to be tied not to some generic standard, but to be calibrated to the unique threat picture, risk appetite and business objective of a particular organisation.”

The new draft clarifies “that adaptation of the NIST CSF to some generic compliance regime was never intended and is, in fact, inappropriate,” said Clinton. “This reflects an understanding on the part of NIST that, over the past few years, the marketplace has developed a series of analytical tools to help organisations use the framework in a method that is cost-effective for them.”

Clinton praised the process used by NIST as “a model ‘use case' for how government needs to engage with its industry partners to address the cyber-security issue.”

The internet's inherent interconnectedness makes it impossible for sustainable security to be achieved through anything other than true partnership, he contended. “The NIST model stands in stark contrast to the antiquated regulatory models we see used in other parts of the world and even in some isolated cases here in the US. NIST treats its industry partners like partners, not stakeholders,” said Clinton. “The NIST approach generates trust and effective solutions. Much can be learned from following the NIST model.”

The standards body noted that as the framework is adopted more widely, lessons learned will be integrated into versions going forward. “This will ensure the Framework is meeting the needs of critical infrastructure owners and operators in a dynamic and challenging environment of new threats, risks, and solutions,” the new draft said. “Expanded and more effective use and sharing of best practices of this voluntary Framework are the next steps to improve the cyber-security of our Nation's critical infrastructure – providing evolving guidance for individual organisations while increasing the cyber-security posture of the Nation's critical infrastructure and the broader economy and society.”

In the US NIST is inviting public comments on the latest draft to be submitted by 19 January.