After circulating a draft in December and accepting feedback, on April 16, 2018, the US Department of Commerce’s National Institute of Standards and Technology (NIST) released version 1.1 of its Cybersecurity Framework (CSF). Formally titled “Framework for Improving Critical Infrastructure Cybersecurity,” the CSF is noted for its clearly written, thorough, and flexible approach to cybersecurity.
NIST originally developed the Framework to protect US critical infrastructure sectors including energy, financial services, and transportation systems. However, NIST reports that the CSF “has since proven flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state and local governments. ”The CSF continues to be a collaborative effort – NIST made a public call for changes and held workshops throughout 2016–2017 – with stakeholders from government, industry, and academia contributing. Version 1.1 includes refinements, clarifications, and enhancements, but has no fundamental changes. As pointed out in the introduction of the updated CSF, “compatibility with Version 1.0 has been an explicit objective.” NIST posted the process used to update the Framework on its dedicated website.
What’s different?
The CSF continues to be applicable to a diverse range of technology environments such as information technology, industrial control systems, and the Internet of things, with some key changes:
Conducting a risk assessment is an important part of implementing the CSF
Risk assessments are an important part of the risk management process – a fundamental aspect of the CSF – and provide the information necessary to respond to identified risks appropriately. A risk assessment can be complex, but with risk assessment tool vsRisk™, you can save time, effort, and expense. Fully conforming to the CSF, this tool allows you to set your risk acceptance criteria, and measure the likelihood and impact of individual risks.
The tool features a risk assessment wizard, which will guide you through the process, and will generate six audit-ready reports, including the Statement of Applicability and a risk treatment plan. vsRisk Standalone is intended for a single, desktop-based user. For multiple desktop users, consider vsRisk Multi-user. It allows up to ten risk assessors to conduct a risk assessment across an organization simultaneously.
