The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has released its first major revision to their standards and best practices for cybersecurity policy this month.

The update was compiled after a two-year research period and sought to address some of the newer and more prolific threats to cybersecurity since the original framework was drafted, specifically targeting authentication, identity, self-assessment, and vulnerability disclosures.

Congressman Jim Langevin, who co-founded and co-chairs the Congressional Cybersecurity Caucus, applauded the revision in a press release:

“As demonstrated by the Russian government’s targeting of our election systems… the cybersecurity threats to our critical infrastructure continue to evolve… this update also greatly expands guidelines for managing the cybersecurity risks posed by supply chains, risks that were exploited to extremely damaging effect by Russia’s NotPetya malware.”

Langevin also expressed some reservations:

“While I appreciate NIST’s decision to continue to explore ways to measure the cost effectiveness of cybersecurity, I do believe this revision was a missed opportunity to provide more concrete guidance on ways to quantify risk. Cybersecurity is not just a technical issue, and an understanding of the economics of controls is essential if we expect companies to adopt them voluntarily.”

NIST has scheduled an updated Roadmap for Improving Critical Infrastructure Cybersecurity and will feature the framework at the agency’s Cybersecurity Risk Management Conference later on in 2018.

For more information, read here.