Last summer, in our “Malware Manual” series, we introduced readers to the Cybersecurity Framework developed by the National Institute of
Standards and Technology (NIST). As described by NIST:
voluntary Framework consists of standards, guidelines, and best practices to
manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible,
and cost-effective approach helps to promote the protection and resilience of
critical infrastructure and other sectors important to the economy and national
We believe in the NIST cybersecurity approach
for organizations of all shapes and sizes across the full spectrum of
industries. Moreover, we often advocate for the Framework through this blog.
And in this spirit, we want to share information about last month’s updates to
the Framework that we gleaned from an article in GCN. In short,
after collecting feedback through a 2-year process of public calls for comment,
soliciting questions from users and several workshops, NIST made these
improvements with Version 1.1:
a new category for managing supply chain risk.
in the supply chain category an assessment process for commercial off-the-shelf
IT products and services.
language in several places – e.g., clarifying the meaning of “compliance” for
various stakeholders in an organization.
a new section about self-assessment of cybersecurity risk.
the “access control” category to better account for authentication,
authorization and identity proofing.
This latest version of the Framework is
fully compatible with the initial issue, which is consistent with NIST’s
mission to provide a living document where changes can be made as cyber
environments and risks shift. “We didn’t want to change the framework substantially,
so the two frameworks could work with each other,” NIST Cybersecurity Framework
Program Manager Matt Barrett said during an April webinar covering the update. For
our part in supporting this mission, we designed our 6-part Malware Manual
series to align with NIST’s five tenets for holistically managing
Of course, aligning with the NIST framework
alone does not guarantee a cybersecure organization. Implementing specific
services, user education and best practices around cybersecurity make the
difference. And our TeamLogic IT Managed Services Providers (MSPs) are ready to help you
along the way.