(January 20, 2017 – Jennifer Ortega) On January 10, 2017, the National Institute of Standards and Technology (NIST) released an update to its Framework for Improving Critical Infrastructure Cybersecurity and requested public comments on the changes. According to NIST, which is a non-regulatory agency of the Department of Commerce, Draft Version 1.1 is meant to improve NIST’s guidance on “managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity.”
The Framework was first released in 2014, but it is considered a living document that changes with time and will be modified as necessary to advance with technology. The current update introduces several important changes, such as:
- A new section on cybersecurity measurement;
- Creation of standardized terms for supply chain risk management;
- Improvements for better authentication, authorization, and identity proofing; and
- Clarification of the Framework’s structure.
Comments on the updated Framework are due by April 10. The next update of the Framework is expected in the fall of 2017.
EDUCAUSE has responded to previous NIST requests for information regarding the Framework on behalf of the Higher Education Information Security Council (HEISC). In our most recent comments, EDUCAUSE drew NIST’s attention to HEISC’s Information Security Guide: Effective Practices and Solutions for Higher Education and encouraged NIST to tap HEISC’s expertise as NIST continues to develop and improve the Framework.
Jen Ortega serves as a consultant to EDUCAUSE on federal policy and government relations. She has worked with EDUCAUSE since 2013 and assists with monitoring legislative and regulatory proposals across a range of policy areas, including cybersecurity, data privacy, e-learning, and accessibility.