On December 20, 2017, the National Institute of Standards and Technology (“NIST”) held a live webcast to discuss the draft updates to the Framework for Improving Critical Infrastructure Cybersecurity (“the Cybersecurity Framework”) and the Roadmap for Improving Critical Infrastructure Cybersecurity (“the Roadmap”). Although the webcast is not currently available online, NIST plans to publish a recording of the live webcast in early January 2018.

During this webcast, NIST provided an overview of the updates to Version 1.1 of the Cybersecurity Framework (“Version 1.1”), which were analyzed in previous blog posts on Inside Privacy and Inside Government Contracts. The webcast included a discussion of the following topics:

Version 1.1 Reflects Significant Industry Feedback. NIST emphasized that in creating Version 1.1 that it considered feedback from industry including over 120 comments on the January 2017 draft and information gained from discussions among more than 500 participants at a May 2017 Workshop. NIST also noted that industry was seeking only minimal changes and wanted this version to be compatible with Version 1.0.

Version 1.1 Is Designed to Be Compatible with Version 1.0. Version 1.1 is designed to be compatible with Version 1.0, and additions—including new categories and subcategories—will not invalidate existing Version 1.0 work products.

The Cybersecurity Framework is Broadly Applicable. During the webcast, NIST noted that although the Cybersecurity Framework was always intended to be applicable to a wide-range of technology, Version 1.1 explicitly states that the Cybersecurity Framework is applicable to a wide range of technologies, including Information Technology (“IT”), Operational Technology (“OT”), Cyber-Physical Systems (“CPS”) and the Internet of Things (“IoT”), as well as all phases of the system lifecycle.

In particular, NIST addressed Version 1.1’s increased focus on supply chain risk management (“SCRM”) and noted that Version 1.1’s guidance was explicitly designed to align with NIST Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.

The Major Changes to Version 1.1. The primary changes to the Framework highlighted by NIST included: increased guidance for conducting self-assessments; enhanced explanation of how the Cybersecurity Framework can be applied to manage cybersecurity risks within supply chains and in acquisition decisions; language describing categories was refined to better account for authentication, authorization, and identity proofing; and a discussion of the revised integrated risk management implementation tiers.

Edits to the Roadmap Version 1.1. Roadmap Version 1.1 has also been edited and broadened in connection with the updates to the Cybersecurity Framework. In particular, NIST addressed the three new topics added to the Roadmap: Coordinated Vulnerability Disclosure, Governance and Enterprise Risk Management and Measuring Cybersecurity.

NIST is soliciting feedback on the draft Cybersecurity Framework and the draft Roadmap Version 1.1 at cyberframework@nist.gov until January 19, 2017. NIST expects to issue final versions of the Cybersecurity Framework and Roadmap Version 1.1 in early 2018. Also in 2018, NIST expects to host a workshop to: share and understand use and best practices of the Cybersecurity Framework; determine early usage and utility of the Cybersecurity Framework and Roadmap Version 1.1; and engage in collaborative discussions related to Roadmap Version 1.1 topic areas.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply…

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply chain risk management for companies that sell products and services to the U.S. Government. Susan advises contractors at all phases of the procurement cycle, and regularly:

advises clients on compliance obligations imposed by the FAR, DFARS, and other agency regulatory requirements;
leads internal and government False Claims Act (FCA) investigations addressing allegations of violations of government cybersecurity, national security, supply chain, quality, and MIL-SPEC requirements; and
advises clients who have suffered a cyber breach where U.S. government information may have been impacted.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 252.204-7012, FedRAMP, controlled unclassified information (CUI), and NIST SP 800-171 requirements;
Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 semiconductor product and service restrictions, and limitations on sourcing a variety of products from China; and
Federal Acquisition Security Council (FASC) regulations and product exclusions.

 

Susan previously served as senior in-house counsel for two major defense contractors (Northrop Grumman Corporation and Motorola Incorporated) and is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. Chambers USA has quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Susan’s pro-bono work extends to assisting veterans in a variety of matters, as well as providing advice to elderly clients on their wills and other end-of-life planning documents.

Read more about Susan B. CassidyEmail
Show more Show less
Photo of Moriah Daugherty Moriah Daugherty

Moriah Daugherty advises clients on a broad range of cybersecurity and national security matters, with a particular focus on risk management and governance, regulatory compliance, incident response and crisis management, and internal and government investigations.

Moriah specializes in counseling clients on a variety…

Moriah Daugherty advises clients on a broad range of cybersecurity and national security matters, with a particular focus on risk management and governance, regulatory compliance, incident response and crisis management, and internal and government investigations.

Moriah specializes in counseling clients on a variety of issues related to cybersecurity risk management and governance, including evaluating security controls, practices, and policies and preparing for cybersecurity incidents and data breaches, including the potential for related investigations, regulatory inquiries, and litigation. She regularly counsels clients on responding to a broad range of cybersecurity incidents, including breaches of personal data and incidents involving extortion and ransomware, targeting and theft of intellectual property by advanced persistent threats, and state-sponsored theft of sensitive U.S. government information.

Drawing on her government experience, Moriah leads cyber-related internal investigations and investigations conducted in response to government inquiries, whistleblower complaints, and threats of litigation, including matters involving allegations of noncompliance with U.S. government cybersecurity regulations and fraud under the False Claims Act.

Prior to becoming a lawyer, Moriah spent eight years working for the Federal Bureau of Investigation and U.S. Department of Justice.

Read more about Moriah DaughertyEmail
Show more Show less