Framework for Improving Critical Infrastructure Cybersecurity
Version 1. 1
National Institute of Standards and Technology
April 16, 2018
This publication is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04162018
Note to Readers on the Update
Version 1.1 of this Cybersecurity Framework refines, clarifies, and enhances Version 1.0, which was issued in February 2014. It incorporates comments received on the two drafts of Version 1.1.
Version 1.1 is intended to be implemented by first-time and current Framework users. Current users should be able to implement Version 1.1 with minimal or no disruption; compatibility with Version 1.0 has been an explicit objective.
The following table summarizes the changes made between Version 1.0 and Version 1.1.
Table NTR- 1 - Summary of changes between Framework Version 1.0 and Version 1.1.
| Update | Description of Update | ||||||
| Clarified that terms like “compliance” can be confusing and mean something very different to various Framework stakeholders | Added clarity that the Framework has utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements. However, the variety of ways in which the Framework can be used by an organization means that phrases like “compliance with the Framework” can be confusing. | ||||||
| A new section on self- assessment | Added Section 4.0 Self-Assessing Cybersecurity Risk with the Framework to explain how the Framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements. | ||||||
| Greatly expanded explanation of using Framework for Cyber Supply Chain Risk Management purposes | An expanded Section 3.3 Communicating Cybersecurity Requirements with Stakeholders helps users better understand Cyber Supply Chain Risk Management (SCRM), while a new Section 3.4 Buying Decisions highlights use of the Framework in understanding risk associated with commercial off-the-shelf products and services. Additional Cyber SCRM criteria were added to the Implementation Tiers. Finally, a Supply Chain Risk Management Category, including multiple Subcategories, has been added to the Framework Core. | ||||||
| Refinements to better account for authentication, authorization, and identity proofing | The language of the Access Control Category has been refined to better account for authentication, authorization, and identity proofing. This included adding one Subcategory each for Authentication and Identity Proofing. Also, the Category has been renamed to Identity Management and Access Control (PR.AC) to better represent the scope of the Category and corresponding Subcategories. | ||||||
| Better explanation of the relationship between Implementation Tiers and Profiles | Added language to Section 3.2 Establishing or Improving a Cybersecurity Program on using Framework Tiers in Framework implementation. Added language to Framework Tiers to reflect integration of Framework considerations within organizational risk management programs. The Framework Tier concepts were also refined. Updated Figure 2.0 to include actions from the Framework Tiers. | ||||||
| Consideration of Coordinated Vulnerability Disclosure | A Subcategory related to the vulnerability disclosure lifecycle was added. | ||||||