Well,
NIST (National Institute of Standards and Technology) has announced an update for the
Cybersecurity Framework (CSF). The new version will be v1.1, an incremental update which was expected.
They have released a draft of this update for comments.
You may read about it
HERE. There is also
THIS page that explain the update AND gives info on feedback, which has a deadline of
APRIL 10, 2017 and were to send comments.
At that page you can read the draft in a couple of different versions.
What has been added/updated?
They added more stuff regarding supply chain. They did a few tweaks on the
Core. I had hoped they would have gotten rid of the
Implementation Tiers, but instead of dumping it or major work they did some tweaks to it. And there is a new section on metrics and measurement.
I was disappointed they didn't update the
Critical Security Controls references. They are still listing v5, which is no longer valid and the group that managed it is no more. However, they note they are still updating all the Information References, so hopefully that is just something that is in progress and will appeared in the released version.
I had hoped that the HIPAA crosswalk that was done would be incorporated into the document, at least as an appendix. And I think the should add a PCI DSS crosswalk. Am told it exists, and think it would be good to include it. Again, maybe this will be including in the final version.
Am debating if I should put together a talk on this proposed draft for upcoming conferences.