October 15, 2019

October 14, 2019

Subscribe to Latest Legal News and Analysis

NIST Releases Updated Cybersecurity Framework

Pursuant to Executive Order 13636, the National Institute of Standards and Technology (“NIST”) established the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, a technology-neutral, voluntary, risk-based cybersecurity framework that includes standards and processes intended to align policy, business, and technological approaches to addressing cybersecurity risks.  Four years later, NIST has released an updated version of the Framework.

Prior to releasing this update, NIST to get a better understanding of how companies were using the Framework, released a draft of the revised Framework for public comment, and held a public webcast to discuss the updates to the Framework.  The key updates in Version 1.1 are summarized below.

  • Explicitly expanded the applicability of the Framework outside of critical infrastructure: Version 1.1 states that the Framework is useful for addressing cybersecurity for any company relying on technology, “whether their cybersecurity focus is primarily on information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), or connected devices more generally, including the Internet of Things (IoT).”

  • Explained how to use the Framework for organizational self-assessment: Version 1.1 adds a new section that guides companies on how to use the Framework to understand and assess their cybersecurity risk, including how to choose and deploy performance metrics to measure progress or flag issues.

  • Enhanced guidance for applying the Framework to supply chain risk management: Version 1.1 added Supply Chain Risk Management to the Framework Core (a set of cybersecurity activities, outcomes, and informative references that are common across sectors).  Cyber supply chain risk management focuses on identifying, assessing, and mitigating acquired products and services that may contain malicious functionality, be counterfeit, or have critical vulnerabilities as a result of poor manufacturing practices.

  • Added definition of “Cybersecurity Incident”: Version 1.1  adds a definition of Cybersecurity Incident as distinguished from a Cybersecurity Event.  “Cybersecurity Incident” is defined as “[a] cybersecurity event that has been determined to have an impact on the organization prompting the need for response and recovery.”  The term “Cybersecurity Event” (“cybersecurity changes that may have an impact on organizational operations”) remains in the Framework.  As a result, Version 1.1 more precisely differentiates between cybersecurity issues that may impact an organization and those that actually impact the organization.  This distinction may help companies when implementing detection and recovery functions.

  • Refined authorization, authentication, and identity proofing: Version 1.1 renames the “Access Control” category to “Identity Management and Access Control” and adds subcategories for identity verification and authentication commensurate with the risk of the transaction.

  • Clarified confusion around the term “compliance”: Version 1.1 clarifies that, as used in the Framework, the term “compliance” refers to using the Framework to organize a company’s compliance with its own internal cybersecurity requirements; there is no ultimate “compliance with the Framework.”

The changes made in Version 1.1 are intended to be “fully compatible” with Version 1.0.  Companies that have already incorporated Framework Version 1.0 are encouraged to implement the additional content as appropriate.  Companies new to the Framework should follow Version 1.1.

© 2019 Covington & Burling LLP


About this Author

Catlin Meade, Cybersecurity lawyer, Covington

Catlin Meade advises clients across a broad range of cybersecurity and government contracts matters, including government and internal investigations, compliance with cybersecurity and data breach regulations, and SAFETY Act applications.

Representative Matters

  • Counsel to multiple companies in responding to data and cybersecurity incidents.
  • Advised a leading defense contractor on a multi-million-dollar prime-subcontractor dispute in connection with a NATO contract.
  • Key member of team that successfully represented a large government...
Ashden Fein, Litigation attorney, Covington Burling

Ashden Fein advises clients on cybersecurity and national security matters, including government and internal investigations, regulatory, and complex litigation matters.

For cybersecurity matters, Mr. Fein specifically counsels clients on preparing for and responding to cyber-based attacks, assessing their security controls and practices for the protection of data and systems, developing and implementing cybersecurity programs, and complying with federal and state regulatory requirements. Mr. Fein also has been the lead investigator and crisis manager for multiple complex cyber and data security incidents, including data security breach matters involving millions of affected consumers, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.