Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 National Institute of Standards and Technology April 16, 2018 c . 5 b u h t i g m o April 16, 2018 Cybersecurity Framework Version 1.1 Note to Readers on the Update Version 1.1 of this Cybersecurity Framework refines, clarifies, and enhances Version 1.0, which was issued in February 2014. It incorporates comments received on the two drafts of Version 1.1. Version 1.1 is intended to be implemented by first-time and current Framework users. Current users should be able to implement Version 1.1 with minimal or no disruption; compatibility with Version 1.0 has been an explicit objective. The following table summarizes the changes made between Version 1.0 and Version 1.1. Table NTR-1 - Summary of changes between Framework Version 1.0 and Version 1.1. Update Clarified that terms like “compliance” can be confusing and mean something very different to various Framework stakeholders Description of Update Added clarity that the Framework has utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements. However, the variety of ways in which the Framework can be used by an organization means that phrases like “compliance with the Framework” can be confusing. m o A new section on selfassessment c . 5 Added Section 4.0 Self-Assessing Cybersecurity Risk with the Framework to explain how the Framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements. Greatly expanded An expanded Section 3.3 Communicating Cybersecurity explanation of using Requirements with Stakeholders helps users better understand Framework for Cyber Cyber Supply Chain Risk Management (SCRM), while a new Supply Chain Risk Section 3.4 Buying Decisions highlights use of the Framework Management purposes in understanding risk associated with commercial off-the-shelf products and services. Additional Cyber SCRM criteria were added to the Implementation Tiers. Finally, a Supply Chain Risk Management Category, including multiple Subcategories, has been added to the Framework Core. Refinements to better The language of the Access Control Category has been refined account for authentication, to better account for authentication, authorization, and identity authorization, and identity proofing. This included adding one Subcategory each for proofing Authentication and Identity Proofing. Also, the Category has been renamed to Identity Management and Access Control (PR.AC) to better represent the scope of the Category and corresponding Subcategories. Better explanation of the Added language to Section 3.2 Establishing or Improving a relationship between Cybersecurity Program on using Framework Tiers in Implementation Tiers and Framework implementation. Added language to Framework Profiles Tiers to reflect integration of Framework considerations within organizational risk management programs. The Framework Tier concepts were also refined. Updated Figure 2.0 to include actions from the Framework Tiers. h t i g b u This publication is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04162018 ii April 16, 2018 Consideration of Coordinated Vulnerability Disclosure Cybersecurity Framework Version 1.1 A Subcategory related to the vulnerability disclosure lifecycle was added. As with Version 1.0, Version 1.1 users are encouraged to customize the Framework to maximize individual organizational value. m o c . 5 b u h t i g This publication is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04162018 iii April 16, 2018 Cybersecurity Framework Version 1.1 Acknowledgements This publication is the result of an ongoing collaborative effort involving industry, academia, and government. The National Institute of Standards and Technology (NIST) launched the project by convening private- and public-sector organizations and individuals in 2013. Published in 2014 and revised during 2017 and 2018, this Framework for Improving Critical Infrastructure Cybersecurity has relied upon eight public workshops, multiple Requests for Comment or Information, and thousands of direct interactions with stakeholders from across all sectors of the United States along with many sectors from around the world. The impetus to change Version 1.0 and the changes that appear in this Version 1.1 were based on:      Feedback and frequently as