NIST Cyber Security Framework

Flash Report Hero Image
NIST Cyber Security Framework

January 23, 2017

Last week, the National Institute of Standards and Technology (NIST) provided draft revisions to the NIST Cybersecurity Framework (CSF Version 1.1) for public comment.[1] While the NIST draft is subject to change, it is worthwhile to review to determine how the revised NIST CSF Version 1.1 may impact organizations.

NIST commented in its Jan. 12, 2017, press release that the revision will:

  • Provide new details on managing cyber supply chain risk management (SCRM);
  • Clarify key terms; and
  • Introduce measurement methods for cybersecurity.

The framework continues to be voluntary guidance to organizations.

Key dates:

NIST CSF Version 1.0 Released
February 2014
Revision Suggestions
December 2015
Revision Workshop
April 2016
Draft NIST CSF 1.1 Released
January 2017
Public Comments Due
April 2017
NIST CSF Version 1.1 Released
TBD: Possibly Q3/4 2017


There are three key takeaways in the NIST draft, which we summarize below.

(1) NIST CSF Control Framework

The following table summarizes changes made to the NIST CSF control framework:

Version 1.0
Version 1.1
Change Notes
No Change
Added SCRM

Added 8 Controls

  • 5 controls for SCRM
  • 3 controls for Protect

 Approximately 5 controls clarified

The three new controls for the Protect subcategory are as follows:
Sub-control added
Identities are proofed and bound to credentials, and asserted in interactions when appropriate
Integrity-checking mechanisms are used to verify hardware integrity
Systems operate in predefined functional states to achieve availability (e.g., under duress, under attack, during recovery, normal operations)

(2) Cyber Supply Chain Risk Management

NIST has added a new category for SCRM practices. SCRM is now recognized as a critical consideration in the NIST Cybersecurity Framework, in recognition that many organizations are either outsourcing or considering outsourcing security services or key business processes to third parties or sharing sensitive information with them.

Protiviti has long recognized the importance of vendor assessments in managing cyber risks to an organization, as detailed in our latest joint study with Shared Assessments, 2016 Vendor Risk Management Benchmark Study: The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management.[2]

The SCRM focus is new to the NIST CSF. For additional information on SCRM, please refer to NIST publication NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.[3]

The federal Office of the Comptroller of the Currency (OCC) and other agencies have drafted regulations, titled Enhanced Cyber Risk Management Standards, that consistently reference SCRM concepts called external dependency management.[4]

In all, it is clear that the focus on third-party risk management is increasing.

(3) Section 4, “Measuring and Demonstrating Cybersecurity,” Is a New Section

This section contains suggestions on how to measure and demonstrate the effectiveness of cybersecurity. The framework recommends a close relationship between cybersecurity and business objectives. Metrics are separated into four categories: practices, process, management and technical.

NIST offers several examples of practical metrics or measures. Measurements should align to business objectives and should demonstrate a cause-and-effect relationship when possible. Different types of measures and metrics will be required to reflect the different components of the framework. Organizations should tailor the measures and metrics to their own level of maturity based on their implementation tier. Although that guidance is provided, the new Section 4 does not offer concrete examples of what, specifically, a cybersecurity metrics dashboard should contain.

Closing Thoughts

The revisions will help the NIST CSF more closely align with regulatory and industry hot topics such as identity and access management, SCRM vendor risk management, metrics, and cybersecurity threat intelligence. Protiviti has noted these missing areas during engagements such as cybersecurity assessments and cybersecurity strategy/program development. These areas were often discussion points for additional considerations beyond the NIST CSF assessment.

Our Cybersecurity Expertise

We have deep experience in cybersecurity metrics, vendor risk management and NIST CSF 1.0 assessments, along with overall cybersecurity program/strategy development, all of which align closely to the proposed updates to the NIST standard. We are in a unique position to help organizations develop their programs in alignment with the revised framework.

[1] Cybersecurity Framework Draft Version 1.1, National Institute of Standards and Technology.
[2]2016 Vendor Risk Management Benchmark Study: The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management, Protiviti:
[3]Supply Chain Risk Management Practices for Federal Information Systems and Organizations, National Institute of Standards and Technology
[4]Enhanced Cyber Risk Management Standards, Office of the Comptroller of the Currency.

Ready to work with us?