Security news that informs and inspires

Updated NIST Cybersecurity Framework Emphasizes Access Control & Supply Chain Risk


The National Institute of Standards and Technology (NIST) released its version 1.1 update to the 1.0 version of their Framework for Improving Critical Infrastructure Cybersecurity, last updated in 2014.

The updates encourage maturity in cybersecurity assessments and the vulnerability disclosure process, outline an expanded scope of identity management and access control, and provide supply chain risk management guidance to help mitigate risks associated with industrial control systems and connected devices.

While developed primarily for energy, banking, communications and the defense industrial base sectors, the framework is flexible enough to work for companies of all sizes and industries.

Adopting version 1.1 [of the NIST Cybersecurity Framework] is a must do for all CEOs. - Wilbur Ross, Secretary of Commerce

The U.S. Secretary of Commerce Wilbur Ross recommends every company should use the NIST Cybersecurity Framework as their first line of defense, as quoted in NIST Releases Version 1.1 of its Popular Cybersecurity Framework.

Here’s a summary of the top changes made in the NIST cybersecurity framework:

Self-Assessing Cybersecurity Risk

NIST added an entirely new section, Self-Assessing Cybersecurity Risk With the Framework, to help organizations understand, assess and measure their cybersecurity risk. An organization that can measure risks, costs and benefits of security strategies and steps will be more effective with its security approach and investments.

While there aren't any prescriptive controls for this section, the framework does recommend:

  • Identifying organizational objectives and how they relate to and support cybersecurity outcomes
  • Determine Current Implementation Tiers (four stages with several indicators of security maturity within an organization)
  • Developing Target Profiles (what outcomes will help you achieve your risk management goals)
  • Compare your current cybersecurity program to where you want to be, figure out the steps you need to take to get there, and how to measure the degree of implementation

The framework also warns against relying on "artificial indicators" of risk management performance and progress - emphasizing the value in predicting whether a cybersecurity risk may occur and the impact it might have, identified as a "leading measure.

Updates to the Access Control Category

The overall category has been renamed to Identity Management and Access Control, the language has been refined and new subcategories were added for Authentication and Identity Proofing.

NIST clarified that identities and credentials must be issued, managed, verified, revoked and audited for authorized devices, users and processes; expanding user management to the entirety of a user’s identity lifecycle at an organization. They also added a new subcategory/control to ensure identities are proofed and bound to credentials, and asserted in interactions.

Finally, they added a subcategory to ensure that users, devices and other assets are authenticated (e.g., using single or multi-factor authentication) commensurate with the risk of the transaction (e.g., risks based on the security and privacy of individuals and other organizational risks). This risk-based approach to access controls that verify user and device trust is one of the main tenets of a zero-trust security model.

Addition to Vulnerability Disclosure Lifecycle

A new subcategory has been added for consideration of coordinated vulnerability disclosure. This ensures that processes are established to receive, analyze and respond to vulnerabilities reported to organizations from internal and external sources.

The internet gets safer every time a vulnerability is found and fixed. - HackerOne

This new addition comes in light of the fact that 94 percent of the Forbes Global 2000 companies do not have a published vulnerability disclosure policy, as reported by Hackerone in The 2018 Hacker Report (PDF). As a result, nearly one in four hackers haven't reported a found vulnerability simply because the company didn't support a channel to disclose it.

Other Notable Additions

On page 19, section 3.3, NIST added an entire section to help clarify and outline communication, objectives and activities for cyber supply chain risk management (SCRM).

This is mainly to help outline what technology suppliers and buyers should be doing to mitigate risk associated with industrial control systems, cyber-physical systems and connected devices (including Internet of Things).

They need to deal with products or services that could contain malicious functionality, are counterfeit or vulnerable due to poor manufacturing and development practices in the cyber SCRM. Some of the activities may include:

  • Determining cybersecurity requirements and enacting contracts with suppliers
  • Verifying that requirements are met with assessment methodologies while communicating to suppliers how that process will be carried out

There's also a short section about buying decisions, and how to create profiles that can help with tracking and addressing residual cybersecurity risk.

Additional Resources

Here are some resources that may help you understand the changes: