On January 10, 2017, NIST released a draft update to the "Framework for Improving Critical Infrastructure Cybersecurity". Per NIST, the draft update was created to refine, clarify, and enhance version 1.0. The update is not intended to disrupt any organizations currently using the Framework. The updates should align with their current business process relating to the Framework and help add clarity for those implementing the Framework for the first time.
NIST created the update based on comments received from the community through the December 2015 RFI and April 2016 workshop. Additionally, the update addresses several of the items listed for further analysis in the Framework companion document ("NIST Roadmap for Improving Critical Infrastructure Cybersecurity").
The refinements, clarification, and enhancements include a new section on cybersecurity measurements, a strong emphasis on supply chain risk management, refinements in the access control category, and to provide a better explanation of the relationship between the Implementation Tiers and Profiles.
NIST is seeking public comment on the draft to improve the update before it goes final and to determine if the updates could impact an organization currently implementing the Framework. NIST intents to convene a workshop after reviewing public comments to further refine the update before the final update is published - currently planned for fall of 2017.
Cybersecurity Framework version 1.1 is located on the NIST website at https://www.nist.gov...raft-version-11.
What are you thoughts on the updates?