The Tip of the Night for December 5, 2016 discussed the NIST Cybersecurity Framework Reference. Earlier this year the National Institute of Standards and Technology introduced Cybersecurity Framework Roadmap. The Roadmap addresses NIST's efforts to improve version 1 of the Framework. It gives some insight to how organizations are trying to improve their cybersecurity plans.

NIST is focused on improving cybersecurity in the following areas.

Cyber-Attack Lifecycle

A network penetration goes through a sequence of events. A plan called Coordinated Vulnerability Disclosure, will allow for multiple stakeholders to understand the initial indicators of an attack; its severity; how it can be mitigated; and how the root cause can be addressed. Information sharing is key to disclosure of threats and NIST's SP 800-150 - Guide to Cyber Threat Information Sharing has a 'traffic light' protocol which helps to show when information should be distributed.

Measuring Cybersecurity

NIST seeks to develop a way to better measure cybersecurity strategies. It has developed the NIST Special Publication 800-55 Revision 1 Performance Measurement Guide for Information Security, which layouts a four level structure.

Referencing Techniques

NIST is developing a catalog to let those facing a threat select the most appropriate reference.

Small Business Awareness and Resources

NIST recognizes that nearly half of U.S. workers are employed by small businesses. The NISTIR 7621 Revision 1 - Small Business Information Security addresses the needs of small businesses. NIST breaks down cybersecurity awareness for businesses which can't employ people to focus on this area full time.

Governance and Enterprise Risk Management

Getting 'buy-in' from upper management is critical for properly addressing cybersecurity threats. NIST recommends the Baldrige Cybersecurity Excellence Builder as a guide to help organizations manage cybersecurity risk management.