The NIST Cybersecurity Framework (NIST CSF) is a policy framework surrounding IT infrastructure security. The National Institute of Standards and Technology (NIST) constructed the CSF for private sector organizations in the United States to create a roadmap for critical infrastructure cybersecurity. More specifically, the CSF is made up of standards, guidelines and practices that can be used to prevent, detect and respond to cyberattacks.
NIST's CSF is most beneficial for small or less regulated entities -- specifically those that are trying to get started with security awareness. The framework may be less informative for larger organizations that already have a focused IT security program.
The framework was created as a voluntary measure through a collaboration between industry and government. NIST designed the framework to be flexible, prioritized and cost-efficient. The NIST Cybersecurity Framework is available as a spreadsheet or PDF and as a reference tool.
The NIST Cybersecurity Framework, designed for private sector organizations, is aimed at ensuring critical IT infrastructure is secure. NIST's framework is intended to provide guidance but is not compliance-focused. The hope is to encourage organizations to consider cybersecurity risks as a priority -- similar to financial, industrial/personnel safety and operational risks.
Another objective of the framework is to insert cybersecurity risk considerations into day-to-day discussions that take place at organizations around the country.
NIST's CSF is used to help an organization that needs to protect infrastructure it deems critical. The framework can be used to increase security in the following examples:
- to determine current levels of implemented cybersecurity measures by creating a profile;
- to identify new potential cybersecurity standards and policies;
- to communicate new requirements; and
- to create a new cybersecurity program and requirements.
The framework is meant to be both voluntary and performance-based, meaning that organizations are not obliged to follow it. Originally, the NIST Cybersecurity Framework was thought up to be used as a guideline under the 44th president -- signed as an executive order. The standards continued to be implemented by government offices under the 45th president as well.
However, government and private sector organizations are not the only organizations that can choose to use the NIST Cybersecurity Framework; public companies can as well. Both the U.S. government and NIST have provided several tools that can help organizations get started with cybersecurity programs and assessments as well. Version 1.1 of the framework added a section titled "Self-Assessing Cybersecurity Risk with the Framework" for organizations to follow.
NIST does not see the term comply as the right phrasing, however. If an organization chooses to follow the framework, NIST uses the term leverage instead -- as in an organization will leverage the NIST Cybersecurity Framework.
In February 2013, the 44th president, Barack H. Obama, issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. The executive order called for the development of a voluntary cybersecurity framework that would provide a prioritized, flexible and performance-based approach to aid organizations in managing cybersecurity risks for critical infrastructure services. While multiple federal agencies were tasked with developing elements related to this executive order, NIST was assigned to develop a cybersecurity framework -- with added help from industry feedback. The final version of NIST's document was released in 2014.
The document was later translated into different languages to be used by a variety of governments. Translations include Spanish, Japanese, Portuguese and Arabic.
In 2017, a draft version 1.1 of the document was circulated, later being made publicly available in April 2018. The 45th president, Donald J. Trump, continued to implement the executive order.
Parts of the framework
The framework can be broken down into three parts: the framework core, framework implementation and framework profile.
The framework core, as described by NIST, is the set of cybersecurity activities and desired outcomes that are common across any critical infrastructure sectors. The core includes five functions intended to be continuous: identify, protect, detect, respond and recover. These functions have the goal of providing a strategic view of the cybersecurity risks in an organization.
The framework implementation consists of tiers that provide context on an organization's cybersecurity risks, as well as any processes put in place to manage risks. The tiers describe how much an organization's cybersecurity risk management practices follow the characteristics defined in the framework. A Tier 1 organization is one that's ranked as partial, described as having limited awareness. The tier system moves up to Tier 4, which refers to an organization that is seen as adaptive. This tier can react best to cybersecurity threats.
The framework profile can be used to describe the current state of an organization's security program, as well as compare that current state to the desired state. This process can be used to reveal any gaps, which can be later addressed. The goal of a profile is to aid organizations in establishing a roadmap for reducing cybersecurity risk.
The CSF is made up of the following five core functions:
- Identify, which refers to developing an understanding of how to manage cybersecurity risks to systems, assets, data or other sources.
- Protect, which refers to the safeguards put in place that ensure critical infrastructure services are delivered.
- Detect, which defines how a cybersecurity event is identified.
- Respond, which defines what actions are taken when a cybersecurity event is detected.
- Recover, which identifies what services should focus on resilience, as well as outlines restore capabilities of impaired services.