Last summer, in our “Malware Manual” series, we introduced readers to the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). As described by NIST:
“This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.”
We believe in the NIST cybersecurity approach for organizations of all shapes and sizes across the full spectrum of industries. Moreover, we often advocate for the Framework through this blog. And in this spirit, we want to share information about last month’s updates to the Framework that we gleaned from an article in GCN. In short, after collecting feedback through a 2-year process of public calls for comment, soliciting questions from users and several workshops, NIST made these improvements with Version 1.1:
- Adding a new category for managing supply chain risk.
- Including in the supply chain category an assessment process for commercial off-the-shelf IT products and services.
- Refining language in several places – e.g., clarifying the meaning of “compliance” for various stakeholders in an organization.
- Creating a new section about self-assessment of cybersecurity risk.
- Changing the “access control” category to better account for authentication, authorization and identity proofing.
This latest version of the Framework is fully compatible with the initial issue, which is consistent with NIST’s mission to provide a living document where changes can be made as cyber environments and risks shift. “We didn’t want to change the framework substantially, so the two frameworks could work with each other,” NIST Cybersecurity Framework Program Manager Matt Barrett said during an April webinar covering the update. For our part in supporting this mission, we designed our 6-part Malware Manual series to align with NIST’s five tenets for holistically managing cybersecurity:
Of course, aligning with the NIST framework alone does not guarantee a cybersecure organization. Implementing specific services, user education and best practices around cybersecurity make the difference. And our TeamLogic IT Managed Services Providers (MSPs) are ready to help you along the way.