Canada: NIST Cybersecurity Framework Updated

Recently, the U.S. Commerce Department's National Institute of Standards and Technology ("NIST") released Version 1.1 of its popular Framework for Improving Critical Infrastructure Cybersecurity (the "Framework"). This revised version refines, clarifies and enhances Version 1.0 of the Framework released in February 2014.

Overview of the Framework

The Framework was originally developed to provide a common organizing structure for the diverse approaches to cybersecurity by assembling standards, guidelines, and practices that have been recognized as effective by the industry experts.

First created with a focus on industries vital to national and economic security, including energy, banking and the defense industrial base, the Framework has since been adopted voluntarily by a range of large and small organizations globally across all sectors.

The Framework aims to be used as a reference guide for an organization to design its risk management processes and programs in cybersecurity or to complement, rather than replace, already existing processes and programs.

As such, the Framework provides various guidelines for organizations to: (i) describe their current cybersecurity posture; (ii) describe their cybersecurity objectives; (iii) identify and prioritize opportunities for improvement; (iv) assess progress toward their cybersecurity objectives; and (iv) communicate their cybersecurity objectives (and progress) among internal and external stakeholders.

Broadly speaking, the Framework is divided into three parts:

• Framework Core: This part provides a comprehensive list of all industry standards, guidelines and practices applicable to each cybersecurity topic listed in the Framework. It enables the executive branch of the organizations to properly communicate their cybersecurity objectives and reach their desired operational outcomes.
• Framework Implementation Tiers: This part aims to assist organizations in assessing the cybersecurity risks they face and the processes they have in place to manage such risks. The degree of rigor and sophistication in the cybersecurity risk management practices of the business are measured on a scale ranging from "Partial (Tier 1)" to "Adaptive (Tier 4)." Organizations can select the most appropriate Tier depending on their current risk management practices, threat environment or legal and regulatory requirements specific to their industry.
• Framework Profiles: This part is intended to help establish a roadmap for reducing cybersecurity risks that is well-aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices and reflects risk management priorities. It can be used to describe both the current state and the desired state of specific cybersecurity activities.

Finally, in addition to these three parts, the Framework sets out practical steps that may be followed in order to create a new cybersecurity program or to improve an existing one.

Version 1.1: What's New?

Feedback collected through NIST workshops held in 2016 and 2017, public consultations and input from users of the Framework were taken into account to make the current changes seen in Version 1.1.

Critics of Version 1.0 noted that while comprehensive, it was not easy to implement. To address these concerns, Version 1.1 of the Framework refined its directives as to how the Framework should be integrated into an organization's existing cybersecurity program.¹

Version 1.1 includes a helpful new section, titled "Self-Assessing Cybersecurity Risk with the Framework." This new section aims to better explain how the Framework can be used by organizations to understand and assess their cybersecurity risk.

Further, a section titled "Buying Decisions" has also been added, which helps organizations understand risks associated with purchasing commercial, off-the-shelf products and services. The objective of this section is to help the organizations make the best buying decision among various suppliers, based on a carefully determined list of cybersecurity requirements.

Finally, the section titled "Communicating Cybersecurity Requirements with Shareholders" has been further detailed in order to help users better understand Cyber Supply Chain Risk Management.²

Implementation in Canada

Broadly speaking, the NIST Framework is widely viewed as being a good starting point for building strong cybersecurity programs. However, when designing or updating existing cybersecurity programs, organizations should ensure that they customize it based on their particular needs and industry requirements (including regulatory requirements). Canadian organizations should take this opportunity to revise their existing cybersecurity programs to ensure that they meet the minimal requirements of the new NIST Framework.

The authors would like to thank summer student Vincent Milette for his assistance in preparing this blog post.

Footnotes

[1] Jeffrey Haut, NIST Releases New Cybersecurity Framework Version 1.1 (Vernon Litigation Group)

[2] Cyber Supply Chain Risk Management is the set of activities necessary to manage cybersecurity risk associated with external parties. It addresses both the cybersecurity effect an organization has on external parties and the cybersecurity effect external parties have on an organization.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.