April 16, 2018
Cybersecurity Framework
Version 1.1
Note to Readers on the Update
Version 1.1 of this Cybersecurity Framework refines, clarifies, and enhances Version 1.0, which
was issued in February 2014. It incorporates comments received on the two drafts of Version 1.1.
Version 1.1 is intended to be implemented by first-time and current Framework users. Current
users should be able to implement Version 1.1 with minimal or no disruption; compatibility with
Version 1.0 has been an explicit objective.
The following table summarizes the changes made between Version 1.0 and Version 1.1.
Table NTR-1 - Summary of changes between Framework Version 1.0 and Version 1.1.
Update
Clarified that terms like
“compliance” can be
confusing and mean
something very different
to various Framework
stakeholders
Description of Update
Added clarity that the Framework has utility as a structure and
language for organizing and expressing compliance with an
organization’s own cybersecurity requirements. However, the
variety of ways in which the Framework can be used by an
organization means that phrases like “compliance with the
Framework” can be confusing.
A new section on selfassessment
Added Section 4.0 Self-Assessing Cybersecurity Risk with the
Framework to explain how the Framework can be used by
organizations to understand and assess their cybersecurity risk,
including the use of measurements.
Greatly expanded
An expanded Section 3.3 Communicating Cybersecurity
explanation of using
Requirements with Stakeholders helps users better understand
Framework for Cyber
Cyber Supply Chain Risk Management (SCRM), while a new
Supply Chain Risk
Section 3.4 Buying Decisions highlights use of the Framework
Management purposes
in understanding risk associated with commercial off-the-shelf
products and services. Additional Cyber SCRM criteria were
added to the Implementation Tiers. Finally, a Supply Chain Risk
Management Category, including multiple Subcategories, has
been added to the Framework Core.
Refinements to better
The language of the Access Control Category has been refined
account for authentication, to better account for authentication, authorization, and identity
authorization, and identity proofing. This included adding one Subcategory each for
proofing
Authentication and Identity Proofing. Also, the Category has
been renamed to Identity Management and Access Control
(PR.AC) to better represent the scope of the Category and
corresponding Subcategories.
Better explanation of the
Added language to Section 3.2 Establishing or Improving a
relationship between
Cybersecurity Program on using Framework Tiers in
Implementation Tiers and Framework implementation. Added language to Framework
Profiles
Tiers to reflect integration of Framework considerations within
organizational risk management programs. The Framework Tier
concepts were also refined. Updated Figure 2.0 to include
actions from the Framework Tiers.
This publication is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04162018
ii