NIST Includes Metrics Development Section in Cybersecurity Framework Update
The National Institute of Standards and Technology's long-anticipated draft "Version 1.1" (v1.1) update to the Cybersecurity Framework, released at our deadline Tuesday, includes a new section on developing effective cybersecurity metrics. NIST has been considering potential updates to its existing…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
2014 framework in response to comments last year from stakeholders who encouraged the agency not to pursue a major revamp of the document (see 1602240065). NIST's framework “can be used as the basis for comprehensive measurement” of the efficacy of cyber risk management practices, the draft said. The framework's implementation tiers and categories are themselves metrics, NIST said. Any metrics on cyber risk management “should be designed with business requirements and operating expense in mind,” the agency said. “The expense of a measurement system may increase as the accuracy of measurement increases. To mitigate undue cost to the organization, the accuracy and expense of a system need only match the required measurement accuracy of the corresponding business objective.” NIST included the metrics section in the draft “to get the conversation started,” said Framework Program Manager Matthew Barrett in a news release. “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.” V 1.1 also includes additional information on managing cyber supply chain risks and clarifications of framework terms. NIST said it's collecting stakeholder feedback on the v1.1 draft through April 10.