Close this search box.

We are creating some awesome events for you. Kindly bear with us.

Draft update to NIST Cybersecurity Framework talks about Supply Chain Risk Management and measuring cybersecurity

Draft update to NIST Cybersecurity Framework talks about Supply Chain Risk Management and measuring cybersecurity

The National Institute of Standards and Technology (NIST), a measurement standards laboratory under the US Department of Commerce released draft Version 1.1 of its Cybersecurity Framework last week. NIST is seeking feedback and the deadline for submission is April 10, 2017.

Updates include addition of an entirely new section on measurement and demonstration of cybersecurity and Supply Chain Risk Management (SCRM) considerations in all sections throughout the document, refining the language of the Access Control Category to better define and account for authentication, authorization, and identity proofing and better explanation of the relationship between Implementation Tiers and Profiles.

Version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity, or the Cybersecurity Framework, released in February 2014, after a year-long consultation between public and private sectors and academia has become one of the most important cybersecurity reference standards for governments and corporates globally. NIST had announced in June 2016 that it would be refining the cybersecurity framework. The proposed updates are based on feedback from Cybersecurity Framework Workshop 2016 and responses to a December 2015 Request for Information (RFI) entitled Views on the Framework for Improving Critical Infrastructure Cybersecurity

Matt Barrett, NIST’s program manager for the Cybersecurity Framework (OpenGov spoke to Matthew Barrett, Program Manager, Cyber Security Framework last year) said,“We wrote this update to refine and enhance the original document and to make it easier to use. This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”


Cyber SCRM, as its name indicates, encompasses cybersecurity in the entire supply chain from information technology (IT) and operational technology (OT) suppliers and buyers, along with non-IT and non-OT partners. Examples would include a small business selecting a cloud service provider or a federal agency contracting with a system integrator to build an IT system.

Having strong cybersecurity implementation within the organisation might not be enough, as poor manufacturing and development practices any point within the cyber supply chain can introduce vulnerabilities. The objective of cyber SCRM is to identify, assess and mitigate the risks from such products and services.

SCRM needs to be factored into Protection, Detection, Response and Recovery protocols of organisations. The draft adds sections on SCRM in all 4 of the implementation tiers (‘how an organization views cybersecurity risk and the processes in place to manage that risk’) of Partial, Risk-informed, Repeatable and Adaptive.

The draft framework lists the following as possible Cyber SCRM activities:

  • Determining cybersecurity requirements for suppliers and IT and OT partners
  • Enacting cybersecurity requirements through formal agreement (e.g. contracts),
  • Communicating to suppliers and partners how those cybersecurity requirements will
  • be verified and validated
  • Verify cybersecurity requirements are met through a variety of assessment methodologies
  • Governing and managing the above activities

Measuring and demonstrating cybersecurity

This new section looks at metrics for creating meaning and awareness of organizational security postures by aggregating and correlating measures. It goes on to define measures as “quantifiable, observable, objective data supporting metrics.”

The draft says that the objective of measuring cybersecurity is to correlate cybersecurity with business objectives, to understand and quantify cause-and-effect.

It points out that correlating cybersecurity metrics to business objectives would often be more complex than measuring one cybersecurity result. The draft highlights that isolating cybersecurity outcomes and business objectives in terms of a cause and effect relationship is one of the biggest challenges with regards to measuring cybersecurity and care must be taken that there is true correlation between a given cybersecurity outcome and business objective.

The expense associated with a measurement system is taken into account, with the draft framework recommending that the accuracy and expense of a system need only match the required measurement accuracy of the corresponding business objective.

Read the press release here.

Read the Draft version 1.1 of the Cybersecurity framework with markup here.


Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.


As a Titanium Black Partner of Dell Technologies, CTC Global Singapore boasts unparalleled access to resources.

Established in 1972, we bring 52 years of experience to the table, solidifying our position as a leading IT solutions provider in Singapore. With over 300 qualified IT professionals, we are dedicated to delivering integrated solutions that empower your organization in key areas such as Automation & AI, Cyber Security, App Modernization & Data Analytics, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Renowned for our consulting expertise and delivering expert IT solutions, CTC Global Singapore has become the preferred IT outsourcing partner for businesses across Singapore.


Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit


SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.


HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 


IBM is a leading global hybrid cloud and AI, and consulting services provider, helping clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,800 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently, and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity, and service. For more information, visit