Remember NIST, the non-regulatory agency of the U.S. Department of Commerce? Their mission expanded over the years to protecting businesses from cyberthreats, including a "Cybersecurty Framework" first published in 2014. "The original goal was to develop a voluntary framework to help organizations manage cybersecurity risk in the nation's critical infrastructure, such as bridges and the electric power grid," NIST wrote in January, "but the framework has been widely adopted by many types of organizations across the country and around the world." Now SC Media reports:
The second draft of the update to the National Institute of Standards and Technology's cybersecurity framework, NIST 1.1, is meant "to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use," according to NIST. Specifically, it brings clarity to cybersecurity measurement language and tackles improving security of the supply chain. Calling the initial NIST CSF "a landmark effort" that delivered "important benefits, such as providing common language for different models" of standards and best practices already in use, Larry Clinton, president and CEO of the Internet Security Alliance, said "it fell short of some of the most critical demands of Presidential Executive Order 13636, which generated its development...
"To begin with, the new draft makes it clear that our goal is not some undefined metric for use of the Framework, but for effective use of the Framework. Moreover, this use-metric needs to be tied not to some generic standard, but to be calibrated to the unique threat picture, risk appetite and business objective of a particular organization"... Clinton praised the process used by NIST as "a model 'use case' for how government needs to engage with its industry partners to address the cybersecurity issue." The internet's inherent interconnectedness makes it impossible for sustainable security to be achieved through anything other than true partnership, he contended.
Slashdot reader Presto Vivace reminds you that public comments on the draft Framework and Roadmap are due to NIST by 11:59 p.m. EST on January 19, 2018. "If you have an opinion about this, NOW is the time to express it."
Read more of this story at Slashdot.