Buy National Institute of Standards Assignment

Buy National Institute of Standards Assignment
April 16, 2018 Cybersecurity Framework Version 1.1
This publication is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04162018 ii
No t e t o Rea d er s o n t h e U p d a t e
Version 1.1 of this Cybersecurity Framework refines, clarifies, and enhances Version 1.0, which
was issued in February 2014. It incorporates comments received on the two drafts of Version 1.1.
Version 1.1 is intended to be implemented by first-time and current Framework users. Current
users should be able to implement Version 1.1 with minimal or no disruption; compatibility with
Version 1.0 has been an explicit objective.
The following table summarizes the changes made between Version 1.0 and Version 1.1.
Table NTR-1 – Summary of changes between Framework Version 1.0 and Version 1.1.
Update Description of Update
Clarified that terms like
“compliance” can be
confusing and mean
something very different
to various Framework
Buy National Institute of Standards Assignment
stakeholders
Added clarity that the Framework has utility as a structure and
language for organizing and expressing compliance with an
organization’s own cybersecurity requirements. However, the
variety of ways in which the Framework can be used by an
organization means that phrases like “compliance with the
Framework” can be confusing.
A new section on self-
assessment
Added Section 4.0 Self-Assessing Cybersecurity Risk with the
Framework to explain how the Framework can be used by
organizations to understand and assess their cybersecurity risk,
including the use of measurements.
Greatly expanded
explanation of using
Framework for Cyber
Supply Chain Risk
Management purposes
An expanded Section 3.3 Communicating Cybersecurity
Requirements with Stakeholders helps users better understand
Cyber Supply Chain Risk Management (SCRM), while a new
Section 3.4 Buying Decisions highlights use of the Framework
in understanding risk associated with commercial off-the-shelf
products and services. Additional Cyber SCRM criteria were
added to the Implementation Tiers. Finally, a Supply Chain Risk
Management Category, including multiple Subcategories, has
been added to the Framework Core.
Refinements to better
account for authentication,
authorization, and identity
proofing
Buy National Institute of Standards Assignment
The language of the Access Control Category has been refined
to better account for authentication, authorization, and identity
proofing. This included adding one Subcategory each for
Authentication and Identity Proofing. Also, the Category has
been renamed to Identity Management and Access Control
(PR.AC) to better represent the scope of the Category and
corresponding Subcategories.
Better explanation of the
relationship between
Implementation Tiers and
Profiles
Added language to Section 3.2 Establishing or Improving a
Cybersecurity Program on using Framework Tiers in
Framework implementation. Added language to Framework
Tiers to reflect integration of Framework considerations within
organizational risk management programs. The Framework Tier
concepts were also refined. Updated Figure 2.0 to include
actions from the Framework Tiers.
April 16, 2018 Cybersecurity Framework Version 1.1
Buy National Institute of Standards Assignment
This publication is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04162018 iii
Consideration of
Coordinated Vulnerability
Disclosure
A Subcategory related to the vulnerability disclosure lifecycle
was added.
As with Version 1.0, Version 1.1 users are encouraged to customize the Framework to maximize
individual organizational value.
April 16, 2018 Cybersecurity Framework Version 1.1
This publication is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04162018 iv
Ac kn o wl ed g eme n t s
This publication is the result of an ongoing collaborative effort involving industry, academia, and
government. The National Institute of Standards and Technology (NIST) launched the project by
convening private- and public-sector organizations and individuals in 2013. Published in 2014
and revised during 2017 and 2018, this Framework for Improving Critical Infrastructure
Cybersecurity has relied upon eight public workshops, multiple Requests for Comment or
Information, and thousands of direct interactions with stakeholders from across all sectors of the
United States along with many sectors from around the world.
The impetus to change Version 1.0 and the changes that appear in this Version 1.1 were based
on:
 Feedback and frequently asked questions to NIST since release of Framework Version 1.0;
 105 responses to the December 2015 request for information (RFI), Views on the Framework for Improving Critical Infrastructure Cybersecurity;
 Over 85 comments on a December 5, 2017 proposed second draft of Version 1.1;
 Over 120 comments on a January 10, 2017, proposed first draft Version 1.1; and
 Input from over 1,200 attendees at the 2016 and 2017 Framework workshops.
In addition, NIST previously released Version 1.0 of the Cybersecurity Framework with a
companion document, NIST Roadmap for Improving Critical Infrastructure Cybersecurity. This
Roadmap highlighted key “areas of improvement” for further development, alignment, and
collaboration. Through private and public-sector efforts, some areas of improvement have
advanced enough to be included in this Framework Version 1.1.