It is important to take a look at The National Institute of Standards and Technology (NIST) Special Publication 800-160, System Security Engineering (issued in November of 2016), and it's draft update to the Framework for Improving Critical Infrastructure Cybersecurity, issued January 10, 2017.
Special Publication 800-160 is directed mostly at engineers, but the C-Suite folks need to read it too. One of the main goals of the publication is to push for building security into Internet of Things devices the way that safety features are built into automobiles. NIST is also trying to expedite public and private sectors to immediately address the proliferation of new risks associated with IoT.
In addition, NIST 800-160 seems to be a response to the Federal Trade Commission's recent statements on whether complying with NIST standards demonstrates "reasonable security." NIST 800-160 expressly provides a framework for how an organization may show "adequate security," which focuses on the adequacy of the procedures and documentation used to arrive at the ultimate cybersecurity decisions. It focuses heavily on the documentation of "better security practices" as opposed to "perfect security practices."
The draft update to the Framework for Improving Critical Infrastructure Cybersecurity provides new details on managing cyber supply chain risks, clarifies key terms, and introduces measurement methods for cybersecurity. The updated framework aims to further develop NIST's voluntary guidance to organizations on reducing cybersecurity risks.
The Cybersecurity Framework was published in February 2014 following a collaborative process involving industry, academia and government agencies, as directed by a presidential executive order. The original goal was to develop a voluntary framework to help organizations manage cybersecurity risk in the nation's critical infrastructure, such as bridges and the electric power grid, but the framework has been widely adopted by many types of organizations across the country and around the world. Many law firms have adopted the framework.
The 2017 draft Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 incorporates feedback since the release of framework version 1.0.
"We wrote this update to refine and enhance the original document and to make it easier to use," said Matt Barrett, NIST's program manager for the Cybersecurity Framework. "This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation."
The deadline to send comments on the draft Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 is April 10, 2017.
Thanks to Dave Ries.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology