NIST logo

On April 16, 2018, the Department of Commerce’s National Institute of Standards and Technology (NIST) issued an updated version of its Framework for Improving Critical Infrastructure Cybersecurity, commonly referred to as the Cybersecurity Framework. The new version, Cybersecurity Framework, Version 1.1, was published following a public comment period, stakeholder workshops, and two draft versions released in 2017. The Cybersecurity Framework was first introduced in February 2014, when Version 1.0 was first published. The current update, available here, includes updates on risk self-assessment, identity and authentication, vulnerability assessments, and standardized terminology to better manage supply chain cyber risks.

The Cybersecurity Framework is intended to be an ongoing public-private effort to address cybersecurity risks in a wide range of technology environments and businesses that utilize critical infrastructure. The Cybersecurity Framework was first envisaged by Presidential Executive Order No. 13636 in 2013, available here, which directed NIST to produce a set of voluntary standards for physical and cyber critical infrastructure assets that would establish standards that are cost-effective, risk-based, and replicable. NIST’s role in producing these voluntary standards was subsequently codified in statute by the Cybersecurity Enhancement Act of 2014, available here.   The Federal Energy Regulatory Commission (FERC) often directs the nation’s self-governing electric reliability organization, the North American Electric Reliability Corporation (NERC), to adopt NIST guidelines. Additionally, pursuant to Executive Order 13800 issued in May 2017, all federal agencies are required to use the Cybersecurity Framework.

Version 1.1 introduces a new section that outlines the role of self-assessment, in which an entity can measure its cybersecurity risks based on its own assessments of costs and benefits. The new version also clarifies ways for managing communications with an entity’s suppliers or other stakeholders. Version 1.1 introduces new, standardized terminology to manage cyber supply chain risks so that multiple vendors and organizations within a single supply chain may better understand cybersecurity risks. The update also expands on key identity management and access control terms such as “authentication” and “authorization,” while introducing the related concept of “identity proofing.” The new version also includes refinements to improving an organization’s risk assessment to include external and internal vulnerabilities.

Later this year, NIST intends to publish a companion document to Version 1.1 to be known as a Roadmap for Improving Critical Infrastructure Cybersecurity. More information on future updates to the Cybersecurity Framework can be found here. For additional information on NIST’s Cybersecurity Framework and other cybersecurity reliability issues in the electric sector, please contact Kristen Connolly McCullough or Sean Neal.