On December 5, 2017, the National Institute of Standards and Technology (NIST) published Draft 2 of its Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”), Version 1.1. Version 1.1 will refine, clarify, and enhance Version 1.0, which established an initial set of industry standards and best practices to help organizations manage cybersecurity risks.  Draft 2 is open for public review and comment through January 19, 2018.

Background Regarding the Framework

The NIST is a non-regulatory agency of the US Department of Commerce that establishes standardized measurements for the United States in all areas of science and technology. In February 2013, President Barack Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” calling for the development of a voluntary Cybersecurity Framework providing the people and entities involved in the delivery of critical infrastructure services with a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to manage cybersecurity risk for processes, information, and systems. The Executive Order defined the “critical infrastructure” on which the Framework was to be focused as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” On February 12, 2014, the NIST issued Version 1.0.

In December 2014, the Cybersecurity Enhancement Act of 2014, 15 U.S.C. § 272(e)(1)(A)(i), statutorily updated the role of the NIST to include the objective to “facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure. Thereafter, in January 2017, the NIST issued Draft 1 of Framework Version 1.1, tweaking certain areas to improve clarity, and adding provisions to help the Framework evolve in lockstep with changing cybersecurity knowledge and best practices.  After accepting feedback and comments through April 2017, and a period of further revision, the NIST issued Draft 2 last month.

The Framework Structure

The Framework consists of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. The Framework Core consists of five Functions representing stages in the life cycle of an organization’s cybersecurity risk management: Identify, Protect, Detect, Respond, and Recover.  The Framework Core connects each of these Functions to key Categories and Subcategories.  For instance, three categories fall under the Detect Function: Anomalies and Events, Security Continuous Monitoring, and Detection Processes.  The Anomalies and Events Category has several Subcategories therein, including: 1) the establishment of a baseline of network operations and data flows for users and systems; 2) analyzation of events to understand attack targets and methods; 3) the collection and correlation of event data; 4) determination of event impact; and 5) establishment of thresholds for incident alerts.

The Framework Implementation Tiers provide context as to an organization’s view of cybersecurity risk and the risk management processes in place. The Tiers are numbered 1 through 4 and represent varying levels of integration of cybersecurity risk management processes within an organization, with 1 representing a basic level of integration and 4 being far more advanced.  Importantly, the Framework does not suggest that every organization should strive for Tier 4 status.  Instead, an organization’s target Tier should be based on organizational goals, feasibility of implementation, and the amount that the cybersecurity risk concerning critical assets and resources must be reduced in order to reach acceptable levels.  Progression to higher Tiers is encouraged when a cost-benefit analysis demonstrates a feasible and cost-effective reduction of cybersecurity risk.

The Framework Profile is the alignment of the Functions, Categories, and Subcategories, with the business requirements, risk tolerance, and resources of the organization.  An Organization may designate both a Current Profile and a Target Profile.  Comparison of the two profiles may reveal gaps, around which the organization can develop an action plan to address weaknesses in its cybersecurity preparedness.

Proposed Changes to the Framework

Version 1.1 retains the same Framework format, consisting of the Core, Tiers, and Profiles.  The changes to the Framework in Version 1.1 reflect developments in cybersecurity that have occurred since the February 2014 publication of Version 1.0.  The Framework, which was originally drafted with critical US infrastructure in mind, contains broader language in Version 1.1, as there is now demand for a Framework extending beyond the entities and organizations closely connected to critical US infrastructure.  Version 1.1 is designed to be a valuable resource for both organizations that are closely connected to critical US infrastructure and those that are not.

Since February 2014, the profound impact that business partners have on the cyber risk of each other has become manifest. As we recently discussed with regard to PayPal’s December 2017 data breach announcement, often smaller, peripheral entities are the target of cyberattacks launched as the first step of a larger plan to infiltrate a bigger name partner entity. The Framework now reflects the importance of cyber risk management focusing on these interorganizational connections.  For instance, Tier 4, the most advanced of the four Tiers, now includes a point entitled External Participation, concerning an organization’s understanding of its role, dependencies, and dependents in the larger cyber ecosystem and the organization’s contributions to the community’s understanding of risk.  In this regard, Version 1.1 encourages organizations not only to continually analyze their cybersecurity risk as threats and the technology landscape evolve, but also to share internally and externally prioritized information that they receive, generate, and review regarding risk and the cyber climate.

A new section of the Framework in Version 1.1 addresses the cyber supply chain.  Recognizing the complex and interconnected relationships between all components of a supply chain, beginning with the sourcing of products and services and extending to the design, development, manufacturing, processing, handling, and delivery of products and services to the end user, Version 1.1 designates supply chain risk management (SCRM) a critical organizational function.  A primary objective of cyber SCRM is to identify, assess, and mitigate products and services that contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing or development.  When an organization has multiple potential suppliers for a product or service, it can use its Target Profile to inform its purchasing decisions in light of the supplier’s compliance with certain cybersecurity requirements.

Version 1.1 distinguishes between buyers and sellers of technology and buyers and sellers of non-technology. While technology buyers and sellers more overtly implicate cyber risk, in fact, all of the players, whether in technology or not, are part of the cyber supply chain ecosystem and play a role in an organization’s cyber risk profile.  The Framework demonstrates that evaluation of an organization’s cyber risk should take all of the players in the cyber supply chain ecosystem into consideration.

Version 1.1 also provides further guidance for organizations as to the self-assessment of their cybersecurity risk with the Framework.  An organization must clearly understand its organizational objectives, the relationship between those objectives and supportive cybersecurity outcomes, and how those discrete outcomes are implemented and managed in order to measure the effectiveness of its cybersecurity plan.  The Framework Core supports self-assessment of investment effectiveness.  Lagging measurement can be useful to determine whether an organizational objective has been satisfied, however, the Framework emphasizes leading measurements of cybersecurity risk, the likelihood of an occurrence, and the impact it may have, as typically more important to determining the likelihood of achieving an organizational objective.

Version 1.1 serves as a valuable barometer of the state of cyber risk management, reflecting the emerging importance of cyber SCRM, as well as the increasing breadth of cyber risk.  Going forward, the Framework will continue to evolve over time, reflecting changes to the mechanisms and focus of cyber risk management.