The NIST Cybersecurity Framework is
|“||[a] voluntary structure to reduce cyber risks that relies on private sector input and existing standards, guidelines, and practices.||”|
Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under Executive Order 13636: "Improving Critical Infrastructure Cybersecurity" directed the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure.
|“||The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance‐based, and cost‐effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The Cybersecurity Framework shall focus on identifying cross‐sector security standards and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards‐developing organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks. The Cybersecurity Framework shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.||”|
This NIST Cybersecurity Framework consists of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks. Given the diversity of sectors in critical infrastructure, the Framework development process was designed to initially identify cross-sector security standards and guidelines that are immediately applicable or likely to be applicable to critical infrastructure, to increase visibility and adoption of those standards and guidelines, and to find potential areas for improvement (i.e., where standards/guidelines are nonexistent or where existing standards/guidelines are inadequate) that need to be addressed through future collaboration with industry and industry-led standards bodies.
The Cybersecurity Framework incorporates voluntary consensus standards and industry best practices to the fullest extent possible and will be consistent with voluntary international consensus-based standards when such international standards advance the objectives of the Executive Order. The Cybersecurity Framework is designed for compatibility with existing regulatory authorities and regulations.
The Cybersecurity Framework provides a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls to help owners and operators of critical infrastructure and other interested entities to identify, assess, and manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.
To enable technical innovation and account for organizational differences, the Cybersecurity Framework does not prescribe particular technological solutions or specifications. It includes guidance for measuring the performance of an entity in implementing the Cybersecurity Framework and includes methodologies to identify and mitigate impacts of the Framework and associated information security measures and controls on business confidentiality and to protect individual privacy and civil liberties.
An updated version of the Framework, Version 1.1, is expected to be released later in 2017.
Background — NIST responsibilities
NIST plans to develop the Framework in a manner that is consistent with its mission to promote U.S. innovation and industrial competitiveness. The Framework will be developed by ongoing engagement with, and input from, stakeholders in government, industry, and academia, including an open public review and comment process, workshops and other means of engagement.
- (i) identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities;
- (ii) specify high-priority gaps for which new or revised standards are needed; and
- (iii) collaboratively develop action plans by which these gaps can be addressed.
The Framework will seek to promote the wide adoption of practices to increase cybersecurity across all sectors and industry types. It will seek to provide owners and operators a flexible, repeatable and cost effective risk-based approach to implementing security practices while allowing organizations to express requirements to multiple authorities and regulators.
NIST issued a Request for Information (RFI) in the Federal Register (Developing a Framework To Improve Critical Infrastructure Cybersecurity) to gather initial information on the many interrelated considerations, challenges, and efforts needed to develop the Framework. Throughout the process, NIST has issued public updates on the development of the Cybersecurity Framework. NIST issued the first update on June 18, 2013, and the second update on July 24, 2013.
On October 23, 2013, NIST published a "Preliminary Cybersecurity Framework." After comments, a final framework is expected to be issued in February 2014. On Oct. 29, 2013, the NIST published a "Request for Comments on the Preliminary Cybersecurity Framework" in the Federal Register.
The three main elements of the Cybersecurity Framework (NIST 2014) are the Core, the Framework Implementation Tiers (Tiers), and the Profile.
The Core is a set of "cybersecurity activities, desired outcomes, and applicable informative references that are common across critical infrastructure sectors," which are organized under five Functions: Identify, Protect, Detect, Respond, and Recover. Each Function is divided into Categories, Subcategories, and informative references. The Categories are cybersecurity outcomes that are closely tied to programmatic needs and particular activities. The Subcategories are specific outcomes of technical and/or management activities that support achievement of each Category. Informative references are specific cross-sector standards, guidelines, and best practices that illustrate a method to achieve the outcomes associated with each Subcategory.
Tiers describe an organization's approach to "cybersecurity risk and the processes in place to manage that risk," ranging from Tier 1 (Partial) to Tier 4 (Adaptive). Each Tier demonstrates an increasing degree of rigor and sophistication of cybersecurity risk management and integration with overall organizational needs. Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective. Tiers are associated with the overall robustness of an organization's risk management process and are not tied to Functions, Categories, or Subcategories. An organization may align its application of the Tiers with its desired scope for using the Framework (e.g., if an organization is using the Framework for a specific business function only, the Tiers could be used to describe the overall robustness of risk management processes at that business function level).
Profiles align the Framework core elements with business requirements, risk tolerance, and organizational resources. The Profile can be used to identify opportunities for improving cybersecurity posture by comparing a Current Profile to a Target Profile. Profiles provide a roadmap to reduce cybersecurity risk consistent with business practices.
- Framework Glossary (Draft) (full-text).
- Executive Order 13636, §7: Baseline Framework to Reduce Cyber Risk to Critical Infrastructure.
- NIST, Request for Comments on the Preliminary Cybersecurity Framework, Fed. Reg. (Oct. 29, 2013) (full-text).