NIST logo

On December 5, 2017, the Department of Commerce’s National Institute of Standards and Technology (NIST) issued an update to its Framework for Improving Critical Infrastructure Cybersecurity, commonly referred to as the Cybersecurity Framework. This update is part of the first set of updates to the Cybersecurity Framework since it was first introduced in February 2014, when Version 1.0 was first published. The current update, available here, is the second draft of Cybersecurity Framework Version 1.1. The update is the result of a series of workshops and public comment review periods since the launch of the original Cybersecurity Framework in 2014.

The Cybersecurity Framework was first envisaged by Presidential Executive Order No. 13636 in 2013, available here, which directed NIST to produce a set of voluntary standards for physical and cyber critical infrastructure assets that would establish standards that are cost-effective, risk-based, and replicable. NIST’s role in producing these voluntary standards was subsequently codified in statute by the Cybersecurity Enhancement Act of 2014, available here. The Federal Energy Regulatory Commission (FERC) often directs the nation’s self-governing electric reliability organization, the North American Electric Reliability Corporation (NERC), to adopt NIST guidelines. The current update introduces standardized terminology for managing cyber supply chain risks so that multiple vendors and organizations within a single supply chain may better understand cybersecurity risks. The update also expands on key identity management and access control terms such as “authentication” and “authorization,” while introducing the related concept of “identity proofing.” The update also includes a new section that highlights the role of self-assessment in measuring cybersecurity risks. NIST kept open the public comment period to review draft two of Version 1.1 until January 19, 2018 and expects to release the final version in the Spring of 2018.

For more information on NIST’s Cybersecurity Framework and other cybersecurity reliability issues in the electric sector, please contact Kristen Connolly McCullough and Sean Neal.