What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework (NIST CSF) provides guidance on how to manage and reduce IT infrastructure security risk. The CSF is made up of standards, guidelines and practices that can be used to prevent, detect and respond to cyberattacks.
The National Institute of Standards and Technology (NIST) created the CSF for private sector organizations in the United States to create a roadmap for critical infrastructure cybersecurity. It has been translated into other languages and is used by the governments of Japan and Israel, among others.
NIST's CSF is most beneficial for small or less-regulated entities -- specifically those trying to increase security awareness. The framework may be less informative for larger organizations that already have a focused IT security program.
The framework was created as a voluntary measure through a collaboration between private industry and government. NIST designed the framework to be flexible and cost-efficient, with elements that can be prioritized. The NIST Cybersecurity Framework is available as a spreadsheet or PDF and as a reference tool.
The NIST Cybersecurity Framework, designed for private sector organizations, is aimed at ensuring critical IT infrastructure is secure. NIST's framework is intended to provide guidance but is not compliance-focused. The goal is to encourage organizations to make addressing cybersecurity risks a priority -- similar to financial, industrial/personnel safety and operational risks.
Another objective of the framework is to insert cybersecurity risk considerations into day-to-day discussions that take place at organizations around the country.
Uses of NIST's Cybersecurity Framework
NIST's CSF is designed to help an organization that needs to protect infrastructure it deems critical. The framework can be used to increase security in the following ways:
- to determine current levels of implemented cybersecurity measures by creating a profile;
- to identify new potential cybersecurity standards and policies;
- to communicate new requirements; and
- to create a new cybersecurity program and requirements.
The framework is meant to be both voluntary and performance-based, meaning that organizations are not obliged to follow it. Originally, the NIST Cybersecurity Framework was designed to be used as a guideline by executive order by former President Barack H. Obama. The standards continued to be implemented by government offices under former President Donald J. Trump.
Government and private sector organizations are not the only organizations that can choose to use the NIST Cybersecurity Framework, however; public companies can as well. Both the U.S. government and NIST have provided several tools that can help organizations get started with cybersecurity programs and assessments. Version 1.1 of the framework added a section titled "Self-Assessing Cybersecurity Risk with the Framework" for organizations to follow.
NIST does not use the term comply, however. If an organization chooses to follow the framework, NIST uses the term leverage -- as in an organization will leverage the NIST Cybersecurity Framework.
History of the CSF
In February 2013, President Obama, issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. The executive order called for the development of a voluntary cybersecurity framework that would provide a prioritized, flexible and performance-based approach to aid organizations in managing cybersecurity risks for critical infrastructure services. While multiple federal agencies were tasked with developing elements related to this executive order, NIST was assigned to develop a cybersecurity framework with input from private industry. The final version of NIST's document was released in 2014.
The document was later translated into different languages to be used by a variety of governments. Translations include Spanish, Japanese, Portuguese and Arabic.
In 2017, a draft version 1.1 of the document was circulated and later made publicly available in April 2018. President Trump continued to implement the executive order.
Three parts of the framework
The CSF framework can be broken down into three parts: the core, implementation and profile.
- The framework core, as described by NIST, is the set of cybersecurity activities and desired outcomes common across any critical infrastructure sector.
The CSF is made up of the following five core functions:
- Identify, which refers to developing an understanding of how to manage cybersecurity risks to systems, assets, data or other sources.
- Protect, which refers to the safeguards put in place that ensure critical infrastructure services are delivered.
- Detect, which defines how a cybersecurity eventis identified.
- Respond, which defines what actions are taken when a cybersecurity event is detected.
- Recover, which identifies what services should focus on resilience, as well as outlines restore capabilities of impaired services.
The goal of these functions is to provide a strategic view of the cybersecurity risks in an organization.
- The framework implementation consists of tiers that provide context around an organization's cybersecurity risks, as well as any processes put in place to manage risks. The tiers describe how much an organization's cybersecurity risk management practices follow the characteristics defined in the framework. A Tier 1 organization is one that's ranked as partial, described as having limited awareness. The tier system moves up to Tier 4, which refers to an organization that is seen as adaptive, meaning it can best react to cybersecurity threats.
- The framework profile can be used to describe the current state of an organization's security program, as well as compare that current state to the desired state. This process can be used to reveal any gaps, which can be later addressed. The goal of a profile is to aid organizations in establishing a roadmap for reducing cybersecurity risk.