Friday, January 13, 2017

NIST Cybersecurity Framework v1.1 is coming!!!

Well, NIST (National Institute of Standards and Technology) has announced an update for the Cybersecurity Framework (CSF).  The new version will be v1.1, an incremental update which was expected.

They have released a draft of this update for comments.

You may read about it HERE.   There is also THIS page that explain the update AND gives info on feedback, which has a deadline of APRIL 10, 2017 and were to send comments.

At that page you can read the draft in a couple of different versions.

What has been added/updated?

They added more stuff regarding supply chain.  They did a few tweaks on the Core.  I had hoped they would have gotten rid of the Implementation Tiers, but instead of dumping it or major work they did some tweaks to it.  And there is a new section on metrics and measurement.

I was disappointed they didn't update the Critical Security Controls references.  They are still listing v5, which is no longer valid and the group that managed it is no more.  However, they note they are still updating all the Information References, so hopefully that is just something that is in progress and will appeared in the released version.

I had hoped that the HIPAA crosswalk that was done would be incorporated into the document, at least as an appendix.  And I think the should add a PCI DSS crosswalk.  Am told it exists, and think it would be good to include it.  Again, maybe this will be including in the final version.

Am debating if I should put together a talk on this proposed draft for upcoming conferences.


No comments:

Post a Comment