Earlier this week the National Institute of Science and
Technology announced
the released version 1.1 of their Cybersecurity
Framework (CSF). According to the CSF
web page, this new version includes updates on:
• Authentication and identity,
• Self-assessing cybersecurity
risk,
• Managing cybersecurity within the
supply chain and
• Vulnerability disclosure.
An accompanying fact
sheet outlines the three components of the CSF and summarizes the key
points about the newest version of the CSF:
• Refined for clarity, it’s fully
compatible with v1.0 and remains flexible, voluntary, and cost-effective;
• Declares applicability for
"technology," which is minimally composed of Information Technology, operational
technology, cyber-physical
systems, and Internet of Things
• Clarifies utility as a structure and
language for organizing and expressing compliance with an organization’s own
cybersecurity requirements;
• Enhances guidance for applying
the Cybersecurity Framework to supply chain risk management;
• Summarizes the relevance and
utility of Cybersecurity Framework measurement for organizational self-assessment;
and
• Better accounts for
authorization, authentication, and identity proofing
Vulnerability disclosure is addressed in a new sub-category
(#5) in Respond – Analysis (pg 42). That subcategory notes that:
“Processes are established to receive,
analyze and respond to vulnerabilities disclosed to the organization from
internal and external sources (e.g. internal testing, security bulletins, or security
researchers)”
The references for that sub-category are listed as:
• CIS CSC 4, 19;
• COBIT 5 EDM03.02,
DSS05.07; and
• NIST SP 800-53 Rev. 4 SI-5,
PM-15
Posts
No comments:
Post a Comment