I've previously posted on the NIST Cybersecurity Framework, and was very surprised that in the last week there has been some new development in that area.
I especially found this interesting because on June 11th I am presenting my "NIST CSF at 2" presentation to the HackMiami meeting at the Broward Main Library. This is the presentation I gave at BSides Tampa 2016, and had made a few tweaks. And so I am doing some updates in light of these developments.
As previously noted, NIST had in Dec 2015-Feb 2016 a "request for information" on the Framework and its use. They then followed up with a 2 day Workshop at NIST headquarters. A report of that workshop was promised in mid-May.
Well, earlier this week a video of the first part of an interview with Mark Barrett, the program manager overseeing the Framework. The video noted some of the outcomes of the workshop as well as the plans for updates (more on this shortly). One source to see this video is HERE. Not sure when/where the second part will appear, but will update this posting when it is.
THEN, on the 9th, NIST released the report of the workshop. You can download it from the Framework page, or get it directly HERE.
This report (or summary as they call it), gives the highlights from the finding from both the RFI and Workshop. It points out the many things people gave feedback on that they felt needed improvement on. AND it noted more on the updates. It seems the basic idea is NOT to do a major update (to a version 2.0), which people didn't want, but a minor update (a 1.1 if you will). Updates may be done thru some of the supplemental materials that exists around the Framework, and most likely we'll see a draft in early 2017 with the final version in late 2017 (similar to how they do the Special Publications they put out). There will also be new things like a self-assessment tool similar to what is used for the Malcolm Baldridge program.
So check it out. I will probably do a further posting on my thoughts from the report/summary. Feel free to post your thoughts in the comments below.