Sunday, April 22, 2018

NIST Publishes CSF v1.1

Earlier this week the National Institute of Science and Technology announced the released version 1.1 of their Cybersecurity Framework (CSF). According to the CSF web page, this new version includes updates on:

• Authentication and identity,
• Self-assessing cybersecurity risk,
• Managing cybersecurity within the supply chain and
Vulnerability disclosure.

An accompanying fact sheet outlines the three components of the CSF and summarizes the key points about the newest version of the CSF:

• Refined for clarity, it’s fully compatible with v1.0 and remains flexible, voluntary, and cost-effective;
• Declares applicability for "technology," which is minimally composed of Information Technology, operational technology,          cyber-physical systems, and Internet of Things
• Clarifies utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements;
• Enhances guidance for applying the Cybersecurity Framework to supply chain risk management;
• Summarizes the relevance and utility of Cybersecurity Framework measurement for organizational self-assessment; and
• Better accounts for authorization, authentication, and identity proofing

Vulnerability disclosure is addressed in a new sub-category (#5) in Respond – Analysis (pg 42). That subcategory notes that:

“Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)”

The references for that sub-category are listed as:

CIS CSC 4, 19;
COBIT 5 EDM03.02, DSS05.07; and
NIST SP 800-53 Rev. 4 SI-5, PM-15

No comments:

/* Use this with templates/template-twocol.html */