On January 10, NIST has released a draft update of its Cybersecurity Framework.
The new draft is focused on managing cyber supply chain risks and introducing measurement methods for cyber security to help organizations reduce their risks.
New provisions for assessing the cybersecurity risk posed by third-party vendors and a new section on measuring the cost effectiveness of cybersecurity programs are also included.
In particular, the new draft includes considerations for vendor risk management and includes practical guidance for businesses to:
determine cybersecurity requirements for suppliers and partners
enact cybersecurity requirements through contracts
communicate to suppliers and partners how those cybersecurity requirements will be verified and validated
verify that cybersecurity requirements are met
The new version of NIST frmework also includes recommended metrics and measurements that organizations can use to evaluate the “relative cost effectiveness of various cybersecurity activities” and how those cybersecurity activities impact business objectives.
NIST has invited public comment on the draft (deadline April 10, 2017) to realease a final version in fall 2017.