Release of NIST Cybersecurity Framework v1.1: Public Comment Period Open for Draft Document

The evolution of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (the “Framework”) has been closely tracked by the private sector.  The Framework sets forth the core functions that are common across critical infrastructure sectors: identify, detect, protect, respond, and recover from security incidents.  Further, the Framework explains how critical infrastructure cybersecurity can be improved upon with enough granularity to answer the most significant question: “How do we do this?”  Additionally, the Framework is voluntary in nature and not mandatory for the private sector and is also voluntary for the healthcare and public health (“HPH”) sector.  However, governmental guidance includes reference to the Framework, such as in the FDA’s recently finalized Postmarket Management of Cybersecurity in Medical Devices guidance.

NIST released a recent update, specifically Draft Version 1.1.  This update was the result of NIST’s review of proposed changes, which were collected from feedback and frequently asked questions to NIST since the release of Framework Version 1.0 in February 2014, responses to the December 2015 request for information (including by HIMSS), and comments provided by April 2016 Framework workshop attendees.  In this draft document, NIST provides more granular guidance on how to implement the Framework and use of the implementation tiers.  Special emphasis is placed on supply chain risk management, due diligence, system lifecycle phases, and metrics and measures to ascertain progress in regard to Framework adoption. 

The draft document also acknowledges the importance of information sharing with internal and external sources and provides insight with regard to how holistic security can be achieved by aligning cybersecurity and business objectives and outcomes. 

The public comment period for this draft document runs through April 10, 2017.  Public comments may be sent to