On January 10, 2017, the National Institute of Standards and Technology (“NIST”) released proposed updates to its Framework for Improving Critical Infrastructure Cybersecurity (“Framework”) through Draft Version 1.1. The revised Framework provides updated information on managing cyber supply chain risks, introduces methods for measuring cybersecurity effectiveness, and supplies further details on the voluntary steps that organizations can take to reduce their cyber-security risks. Interested parties may respond to the specific questions posed by NIST, or otherwise provide feedback and comments, on the proposed Framework through April 10, 2017. NIST intends to publish a final Framework Version 1.1 around the fall of 2017.

Throughout the revised Framework, NIST provides updated cyber supply chain risk management considerations, including a new section 3.4 on “Buying Decisions.” This section provides updated information on how to make the best buying decisions given the reality that imposing cybersecurity requirements on a supplier is not always possible. Other sections that incorporate cyber supply chain risk management considerations generally emphasize and provide guidance on the need for organizations to identify, monitor, prevent, and respond to cyber supply chain risks.

The revised Framework also adds a new section 4, “Measuring and Demonstrating Cybersecurity,” which describes the interrelationship of effective cybersecurity and positive business outcomes. This section recognizes that the ability of an organization to determine cause-and-effect relationships between cybersecurity and business outcomes is dependent on the accuracy and precision of its measurement systems. Accordingly, the revised Framework provides information on how organizations can measure their cybersecurity effectiveness with respect to their cybersecurity practices, processes, management, and technical capabilities.

Other changes appear throughout the proposed Framework, all of which are intended to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure. NIST’s Framework is voluntary, and users are invited to tailor the Framework to maximize the value and effectiveness to the user. For more information, please contact Kristen Connolly McCullough, Kathleen Mazure, or Matthew Bly.