If not, it should be. If it is, you should be aware that the National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce, recently issued a draft update to its Framework for Improving Critical Infrastructure Cybersecurity (Framework). The original Framework was released in February 2014, and the NIST summarizes it as follows:
The Framework enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework provides organization and structure to today’s multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today. Moreover, because it references globally recognized standards for cybersecurity, the Framework can also be used by organizations located outside the United States and can serve as a model for international cooperation on strengthening critical infrastructure cybersecurity.
In addition, on January 4, 2017, NIST released An Introduction to Privacy Engineering and Risk Management in Federal Systems. Although it addresses the information systems framework of Federal Systems, the publication provides relevant guidance for other organizations that would like to more concretely embed privacy principles into their systems. Introducing the privacy engineering objectives of predictability, manageability, and disassociability, NIST sets forth a foundation for systems engineers to demonstrate how an organization implements its privacy policies and systems privacy requirements in its systems. According to NIST, this latest report “hardens the way we treat privacy, moving us one step closer to making privacy more science than art.”
In sum, the NIST Cybersecurity Framework is an important arrow to have in your organization’s quiver of cybersecurity risk management weapons. The updated framework supplements the original and further develops NIST’s voluntary guidance to organizations working to reduce cybersecurity risks, including management of cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity.
Free copies of the following are available for download: