By Heath C Renfrow, CISSP, C|CISO, C|EH, C|NDA
The National Institute of Standards and Technology (NIST) announced on April 16, 2018 the release of the Cyber Security Framework (CSF) 1.1, intended to improve Critical Infrastructure Cybersecurity. The focus of this framework when first developed in 2014 was geared towards industries vital to economic and national security, which included banking, communications, defense, industrial base, and energy. However, the flexibility of this framework has proven to make it a good fit for adoption by large and small companies alike, and throughout the government, be it federal, state or local.
President Trump in May of 2017 issued an Executive Order 13800 on Strengthening the Cybersecurity of Federal Network and Critical Infrastructure which directs all federal agencies to adopt the CSF.
The CSF framework is intended to be a living document, with updates being incorporated as new threats evolve, technology advances take place, and best practices develop. However, this is the first update since 2014, and is a result of over two years of development.
There are several key refinements within the new 1.1 version:
Cyber Supply Chain Risk Management – Which suggests that quarterly assessments of an organizations supply chain should take place. We applaud this refined best practice, as over the years the evolving landscape of cyber threats and attacks has utilized the supply chain vector to cause some of the most damaging cyber attacks over the past few years.
Authentication, Authorization and Identity Management – CSF 1.1 provides a more clear and concise explanation of the relationship between implantation tiers and profiles.
Cyber Chain Risk Management – has included a new section for organizations to conduct self cyber risk assessments.
Vulnerability Disclosure – This section of the CSF has been expanded to include a new vulnerability disclosure lifecycle sub category.
The threat of cyber-attacks has a significant impact at both national and economic levels across the globe. It is this constant threat that make it imperative for every organization large or small to take cyber security seriously. The CSF 1.1 gives the tools and best practices needed for any organization to build a cyber security program, which will help reduce the overall cyber risk posture of that organization.
NIST has also announced the future release of the ‘Roadmap for Improving Critical Infrastructure Cybersecurity’ later in 2018.
To learn more about adopting the NIST CSF into your organization, please contact LEO Cyber Security today.