The Protiviti View  | Insights From Our Experts on Trends, Risks and Opportunities

The Protiviti View

Insights From Our Experts on Trends, Risks and Opportunities
Search

POST

2 mins to read

NIST Seeks Comments on Cybersecurity Framework Draft

Understand the GDPR legitimate interest vs. consent dilemma
Larger Font
2 minutes to read

Last month, the National Institute of Standards and Technology (NIST) published a discussion draft of revisions to the NIST Cybersecurity Framework (CSF Version 1.1). The draft, though still subject to change, provides new details on NIST’s recommendations for cyber supply chain risk management (SCRM), clarifies key terms, and introduces cybersecurity measurement metrics. Although this is a voluntary framework, the Financial Industry Regulatory Authority (FINRA) and others require organizations under their jurisdiction to adopt and declare a framework, and the NIST CSF is one of the most commonly used.

Here are some of the highlights from the NIST draft:

  • The NIST CSF, which currently has 22 control categories, will add another one, SCRM, in the identity domain, and eight subcategories — five for SCRM, and three in the “Protect” category. In addition, five existing controls have been clarified.
  • SCRM is now a critical consideration in the NIST CSF, in recognition of the fact that many organizations are outsourcing key business processes to, or sharing sensitive data with, third parties. The federal Office of the Comptroller of the Currency and other agencies have drafted regulations, titled Enhanced Cyber Risk Management Standards, addressing this “external dependency management.”
  • A new section, Section 4, has been added. Called “Measuring and Demonstrating Cybersecurity,” the new section contains suggestions on how to measure and demonstrate the efficacy of cybersecurity. The framework recommends a close relationship between cybersecurity and business objectives. Metrics are separated into four categories: practices, process, management and technical. Measurements should align with business objectives and should demonstrate a cause-and-effect relationship. NIST recommends that organizations should tailor the measures and metrics to their own level of maturity. The new Section 4 does not, however, offer concrete examples of what specific cybersecurity metrics should be included in a control dashboard.

We think these revisions will help the NIST CSF align more closely with regulatory and industry priorities, such as identity and access management, SCRM vendor risk management, metrics and cybersecurity threat intelligence. Considering these are the same areas that often come up as areas of concern for Protiviti during field engagements, we think the changes are necessary and appropriate.

Click here for our flash report on this topic.

Was this post helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar post by topics

Authors

Andrew Retrum

By Andrew Retrum

Verified Expert at Protiviti

EXPERTISE

Randy Armknecht

By Randy Armknecht

Verified Expert at Protiviti

EXPERTISE

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

What you need to know: Aging systems, data silos, regulatory pressures and talent gaps complicate enterprise transformation for public utilities....

Article

What is it about

The top priority for healthcare internal auditors this year is cybersecurity, according to a survey by Protiviti and the Association...

Article

What is it about

The big picture: C-suite leaders in traditional aerospace and defense (A&D) companies are launching and growing their aftermarket services and...

Search