Sometimes it seems like the government and private sector can’t agree on anything. But one area where the two sides have teamed up to combat a common foe is cybersecurity. The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity—more commonly known as the Cybersecurity Framework—and its recent update are good examples.
The History of the Cybersecurity Framework
If you’re not familiar with the original Cybersecurity Framework, it’s the result of an executive order issued during the Obama presidency that called for a set of standards, guidelines, and best practices to help organizations that provide the nation’s critical infrastructure better protect their information and physical assets from cyberattack.
Developed through a collaborative effort of more than 3,000 individuals and organizations, the framework debuted in 2014. It provided a prioritized, cost-effective approach to critical IT infrastructure security, and focused on industries vital to national and economic security, including energy, banking, communications and the defense industrial base.
The Cybersecurity Framework has since proven flexible enough to be adopted voluntarily by organizations of all sizes and across all industry sectors, as well as by federal, state and local governments. In PwC’s 2018 Global State of Information Security Survey (GSISS), respondents from healthcare payer and provider organizations, as well as oil and gas companies, pointed to it as the most commonly adopted set information security standards in their respective industries.
Industry surveys from Gartner, Cisco, and other companies report similar findings. Even countries such as Italy, Israel and Uruguay have adopted the framework, or their own adaptation of it.
What’s New in Version 1.1
Like the original Cybersecurity Framework, Version 1.1 is the result of public-private collaborative effort involving stakeholders from government, industry, and academia. The changes to the framework are based on feedback collected through public calls for comments, questions received by team members, and workshops held in 2016 and 2017.
Two drafts of the updated framework were circulated for public comment to assist NIST in comprehensively addressing stakeholder inputs. The new version refines, clarifies and enhances Version 1.0, and covers a wide range of technology environments such as information technology, industrial control systems, and the Internet of Things (IoT).
Among the changes: the Access Control category has been renamed Identity Management and Access Control to better account for authentication, authorization, and identity-proofing. Section 3.3 Communicating Cybersecurity Requirements with Stakeholders has been expanded to help users better understand risk management in the supply chain. It’s followed by a new section, 3.4 Buying Decisions, which focuses on the use of the framework in understanding risk associated with commercial off-the-shelf products and services.
There’s also another new section: Section 4.0 Self-Assessing Cybersecurity Risk with the Framework. It explains how organizations can use the framework to understand and assess their cybersecurity risk. Other updates include a better explanation of the relationship between implementation tiers and profiles; added clarity around the term “compliance,” given the variety of ways in which the framework can be used by an organization; and the addition of a subcategory related to the vulnerability disclosure lifecycle.
If you’re interested in learning more about the Cybersecurity Framework and its recent updates, you’ll find detailed information on the Cybersecurity Framework website. Whether you choose to adopt the framework, go with ISO 27001, or consider some other system, the important thing is to do something to protect your organization against cyberthreats.
A good initial step is to determine how your current IT security measures compare to those of others in your industry or to industry best practices. An information security technology assessment from US Signal can provide you with the answer.
Conducted as a two-hour workshop, the assessment can be customized to your organization’s specific needs but generally covers data governance, identity and access management, operational administration, organizational structure, risk management, physical security, control plane security, and data plane security. Drawing on industry best practices, business insights, technology trends and other information, the US Signal team then can make recommendations for a strategic technology roadmap to help you take your IT security in the right direction.
US Signal also offers a variety of data protection and managed IT security services, as well as HIPPA- and PCI-compliant cloud services, colocation, and network services with built-in security features. Call 866.2. SIGNAL or email[email protected]. A US Signal solution architect will be happy to talk to you about technology assessments and other services to help fortify your cybersecurity defenses.