Last Chance to Help Shape NIST's Updated Cyber Framework

Den Rise/

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology and government. He is currently the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys.

Right now, everyone is probably concerned about a certain April 15th deadline that is rapidly barreling down on us. But before Tax Day arrives, there is another important date we should note. We only have until Mon, April 10, to comment on the proposed version 1.1 updates to the National Institute of Standards and Technology Cybersecurity Framework.

I’ve done my part and added some suggestions that I feel could be useful, but I’m sure the NIST researchers could use all the help they can get, especially from those of us with deep cybersecurity skills.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The Framework for Improving Critical Infrastructure Cybersecurity is a unique document in government for a variety of reasons. It was originally intended as a guide to help protect the nation’s critical infrastructure like the power grid, water systems and transportation networks, much of which is in private hands and not under direct government control. But it has also become a great starting point for cybersecurity for any business, from small- and medium-sized businesses to large corporations. As such, it has only grown in importance since its original creation in 2014.

The document was never intended to be static. It was clear when the framework was created that cybersecurity is a moving target. You can’t reliably explain a defensive technique and expect it to still be valid even six months or a year later. As such, the framework does not go into specific details about tools and tactics but instead lays the groundwork for organizations to start improving their cybersecurity.

In a way, the framework provides commonsense type advice, though it’s valuable because people whose primary jobs are not in security may not know how to think of cybersecurity as a whole entity. Instead, they may get hung up on specific needs like endpoint protection or anti-virus, and end up like the old saying where they can’t see the forest because of all the trees. The framework provides that bigger picture. For example, one thing the framework recommends is to perform a detailed inventory of all your cyber assets and to set up a reporting structure so that everyone knows who to report to, and how to make a report, in the event of a breach. By sticking to general information, the framework can avoid becoming obsolete as specific tools and tactics on both sides of the security fence evolve over time.

The new version 1.1 of the framework, which is soon closing for comments, adds in some newer tactics to help keep the document relevant, while still sticking to more generalized content. Specifically, version 1.1 adds three new areas: 

  • Supply chain risk management: This is the biggest area I felt was missing from the original document, and stresses the need to include all of a business’ suppliers in their cybersecurity efforts. This can make sure that something like a contractor using a default password doesn’t sink your ship.
  • Metrics accounting: This new area helps businesses set up metrics so that cybersecurity can be tied in to business goals and results.
  • Identity management and access control: Another great addition. This explains the need to use tactics like automatically expiring access controls, and to have a solid plan for the entire credentialing lifecycle for all employees.

NIST would like comments about the new additions but is also seeing help with defining areas for future document additions. For example, my suggestion was to include a more detailed explanation of the value of threat intelligence, how to tap into government feeds, and how to help contribute to the cataloging of new threats to help make the whole community safer. Comments should be sent to before the deadline.