NIST Cybersecurity Framework

Last updated September 09, 2024

The NIST Cybersecurity Framework (CSF) is a set of voluntary guidelines designed to help organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks. Developed by the U.S. National Institute of Standards and Technology (NIST), the framework was initially published in 2014 for critical infrastructure sectors but has since been widely adopted across various industries, including government and private enterprises globally. The framework integrates existing standards, guidelines, and best practices to provide a structured approach to cybersecurity risk management.

The CSF is composed of three primary components: the Core, Implementation Tiers, and Profiles. The Core outlines five key cybersecurity functions—Identify, Protect, Detect, Respond, and Recover—each of which is further divided into specific categories and subcategories. These functions offer a high-level, outcome-driven approach to managing cybersecurity risks. The Implementation Tiers help organizations assess the sophistication of their cybersecurity practices, while the Profiles allow for customization based on an organization's unique risk profile and needs.

Since its inception, the CSF has undergone several updates to reflect the evolving nature of cybersecurity. Version 1.1, released in 2018, introduced enhancements related to supply chain risk management and self-assessment processes. The most recent update, Version 2.0, was published in 2024, expanding the framework’s applicability and adding new guidance on cybersecurity governance and continuous improvement practices.

The NIST Cybersecurity Framework is used internationally and has been translated into multiple languages. It serves as a benchmark for cybersecurity standards, helping organizations align their practices with recognized global standards, such as ISO/IEC 27001 and COBIT. While widely praised, the framework has been criticized for the cost and complexity involved in its implementation, particularly for small and medium-sized enterprises.

Overview

The NIST Cybersecurity Framework (CSF) is a set of guidelines developed by the U.S. National Institute of Standards and Technology (NIST) to help organizations manage and mitigate cybersecurity risks. It draws from existing standards, guidelines, and best practices to provide a flexible and scalable approach to cybersecurity.^[1] The framework provides a high-level taxonomy of cybersecurity outcomes and offers a methodology for assessing and managing those outcomes.^[2] Additionally, it addresses the protection of privacy and civil liberties in a cybersecurity context.^[3]

The CSF has been translated into multiple languages and is widely used by governments, businesses, and organizations across various sectors.^[4]^[5] According to a 2016 survey, 70% of organizations view the NIST Cybersecurity Framework as a best practice for computer security, though some have noted that implementation can require significant investment.^[6]

The framework is designed to be flexible and adaptable, providing high-level guidance that allows individual organizations to determine the specifics of implementation based on their unique needs and risk profiles.^[7]

Version 1.0 of the framework was published in 2014, primarily targeting operators of critical infrastructure. A public draft of Version 1.1 was released for comment in 2017, and the final version was published on April 16, 2018. Version 1.1 retained compatibility with the original framework while introducing additional guidance on areas such as supply chain risk management. Version 2.0, released in 2024, further expanded the framework's scope and introduced new guidelines on self-assessment and cybersecurity governance.^[8]

The framework consists of three main components: the "Core," "Profiles," and "Tiers." The Core provides a comprehensive set of activities, outcomes, and references related to various aspects of cybersecurity. The Implementation Tiers help organizations assess their cybersecurity practices and sophistication, while the Profiles allow organizations to tailor the framework to their specific requirements and risk assessments.^[9]

Organizations typically start by developing a "Current Profile" to describe their existing cybersecurity practices and outcomes. From there, they can create a "Target Profile" to outline the desired future state and define the steps needed to achieve it. Alternatively, organizations can adopt a baseline profile based on their sector or specific industry needs.

Research indicates that the NIST Cybersecurity Framework has the potential to influence cybersecurity standards both within the United States and internationally, particularly in sectors where formal cybersecurity standards are still emerging. This influence could foster better international cybersecurity practices, benefiting businesses that operate across borders and contributing to global cybersecurity efforts.^[10]

Functions and categories of cybersecurity activities

NIST Version 1.1 Framework-01.png — NIST Version 1.1

The NIST Cybersecurity Framework organizes its "core" material into five "functions" which are subdivided into a total of 23 "categories". For each category, it defines a number of subcategories of cybersecurity outcomes and security controls, with 108 subcategories in all.

For each subcategory, it also provides "Informative Resources" referencing specific sections of a variety of other information security standards, including ISO 27001, COBIT, NIST SP 800-53, ANSI/ISA-62443, and the Council on CyberSecurity Critical Security Controls (CCS CSC, now managed by the Center for Internet Security). Special Publications (SP) aside, most of the informative references requires a paid membership or purchase to access their respective guides. The cost and complexity of the framework has resulted in bills from both houses of Congress that direct NIST to create Cybersecurity Framework guides that are more accessible to small and medium businesses.^[11]^[12]

Here are the functions and categories, along with their unique identifiers and definitions, as stated in the framework document.^[13]

Identify

"Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities."

Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization's risk strategy.
Business Environment (ID.BE): The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
Governance (ID.GV):- The policies, procedures, and processes to manage and monitor the organization's regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
Risk Management Strategy (ID.RM): The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
Supply Chain Risk Management (ID.SC): The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has in place the processes to identify, assess and manage supply chain risks.

Protect

"Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services."

Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
Awareness and Training (PR.AT): The organization's personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.
Data Security (PR.DS): Information and records (data) are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information.
Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.
Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

Detect

"Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event."

Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood.
Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.

Respond

"Develop and implement the appropriate activities to take action regarding a detected cybersecurity incident."

Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery activities.
Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.

Recover

"Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident."

Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities.
Communications (RC.CO): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.

Updates

In 2021 NIST released Security Measures for "EO-Critical Software" Use Under Executive Order (EO) 14028 to outline security measures intended to better protect the use of deployed EO-critical software in agencies’ operational environments.^[14]

Journey to CSF 2.0

The NIST Cybersecurity Framework is meant to be a living document, meaning it will be updated and improved over time to keep up with changes in technology and cybersecurity threats, as well as to integrate best-practices and lessons learned. Since releasing version 1.1 in 2018, stakeholders have provided feedback that the CSF needed to be updated. In February 2022, NIST released a request for information on ways to improve the CSF, and released a subsequent concept paper in January of 2023 with proposed changes. Most recently, NIST released its Discussion Draft: The NIST Cybersecurity Framework 2.0 Core with Implementation Examples and has requested public comments be submitted by November 4, 2023. ^[15]

Main Changes

The following is a list of the major changes to the framework from version 1.1 to 2.0:^[16]

The title of the framework has changed from "Framework for Improving Critical Infrastructure Cybersecurity" to "Cybersecurity Framework". The scope of the framework has been updated to reflect the large population of organizations that use the framework.
Implementation examples have been added to provide practical and action-oriented processes to help users achieve the CSF subcategories. Additionally, the framework Profiles have been revised and expanded to demonstrate the various purposes of the profiles.
A new Function, Govern, has been added to provide organizational context and the roles and responsibilities associated with developing a cybersecurity governance model. There is also an additional category in this Function focused on cybersecurity supply chain risk management.
The latest update also provides greater information on cybersecurity assessments by placing greater importance on the continuous improvement of security through a new Improvement Category in the Identify Function.

Related Research Articles

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

COBIT is a framework created by ISACA for information technology (IT) management and IT governance.

ISACA is an international professional association focused on IT governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. ISACA currently offers 8 certification programs, as well as other micro-certificates.

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products. It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).

Information security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

The Information Security Forum (ISF) is an independent information security body.

A chief information security officer (CISO) is a senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance. The CISO is also responsible for protecting proprietary information and assets of the company, including the data of clients and consumers. CISO works with other executives to make sure the company is growing in a responsible and ethical manner.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems. Originally intended for U.S. federal agencies except those related to national security, since the 5th revision it is a standard for general usage. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to the operation of security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

The Risk Management Framework (RMF) is a United States federal government guideline, standard, and process for managing risk to help secure information systems, developed by the National Institute of Standards and Technology (NIST). The RMF provides a structured process that integrates information security, privacy, and risk management activities into the system development life cycle.

Control system security, or industrial control system (ICS) cybersecurity, is the prevention of interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.

Risk IT Framework, published in 2009 by ISACA, provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. It is the result of a work group composed of industry experts and academics from different nations, from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life, and KPMG.

IT risk management is the application of risk management methods to information technology in order to manage IT risk. Various methodologies exist to manage IT risks, each involving specific processes and steps.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. A SWOT analysis of the ISO/IEC 27001 certification process was conducted in 2020.

The National Cybersecurity Center of Excellence (NCCoE) is a US government organization that builds and publicly shares solutions to cybersecurity problems faced by U.S. businesses. The center, located in Rockville, Maryland, was established in 2012 through a partnership with the National Institute of Standards and Technology (NIST), the state of Maryland, and Montgomery County. The center is partnered with nearly 20 market-leading IT companies, which contribute hardware, software and expertise.

The Cyber Resilience Review (CRR) is an assessment method developed by the United States Department of Homeland Security (DHS). It is a voluntary examination of operational resilience and cyber security practices offered at no cost by DHS to the operators of critical infrastructure and state, local, tribal, and territorial governments. The CRR has a service-oriented approach, meaning that one of the foundational principles of the CRR is that an organization deploys its assets to support specific operational missions. The CRR is offered in a facilitated workshop format and as a self-assessment package. The workshop version of the CRR is led by a DHS facilitator at a critical infrastructure facility. The workshop typically takes 6–8 hours to complete and draws on a cross section of personnel from the critical infrastructure organization. All information collected in a facilitated CRR is protected from disclosure by the Protected Critical Infrastructure Information Act of 2002. This information cannot be disclosed through a Freedom of Information Act request, used in civil litigation, or be used for regulatory purposes. The CRR Self-Assessment Package allows an organization to conduct an assessment without the need for direct DHS assistance. It is available for download from the DHS Critical Infrastructure Cyber Community Voluntary Program website. The package includes an automated data answer capture and report generation tool, a facilitation guide, comprehensive explanation of each question, and a crosswalk of CRR practices to the criteria of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The questions asked in the CRR and the resulting report are the same in both versions of the assessment. DHS partnered with the CERT Division of the Software Engineering Institute at Carnegie Mellon University to design and deploy the CRR. The goals and practices found in the assessment are derived from the CERT Resilience Management Model (CERT-RMM) Version 1.0. The CRR was introduced in 2009 and received a significant revision in 2014.

The External Dependencies Management Assessment is a voluntary, in-person, facilitated assessment created by the United States Department of Homeland Security. The EDM Assessment is intended for the owners and operators of critical infrastructure organizations in the United States. It measures and reports on the ability of the subject organization to manage external dependencies as they relate to the supply and operation of information and communications technology (ICT). This area of risk management is also sometimes called Third Party Risk Management or Supply Chain Risk Management.

References

This article incorporates public domain material from NIST Cybersecurity Framework (PDF). National Institute of Standards and Technology.

↑ Gordon, Lawrence A; Loeb, Martin P; Zhou, Lei (January 1, 2020). "Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model". Journal of Cybersecurity. 6 (tyaa005). doi: 10.1093/cybsec/tyaa005 . ISSN 2057-2085.
↑ "Achieving Successful Outcomes With the NIST Cybersecurity Framework". GovLoop. February 13, 2019. Retrieved June 12, 2021.
↑ HealthITSecurity (February 10, 2016). "HIMSS: NIST Cybersecurity Framework Positive, Can Improve" . Retrieved August 2, 2016.
↑ "NIST Cybersecurity Framework".
↑ "Workshop plots evolution of NIST Cybersecurity Framework". FedScoop. April 7, 2016. Retrieved August 2, 2016.
↑ "NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds". Information Week Dark Reading. March 30, 2016. Retrieved August 2, 2016.
↑ Gordon, Lawrence A; Loeb, Martin P; Zhou, Lei (January 1, 2020). "Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model". Journal of Cybersecurity. 6 (1). doi: 10.1093/cybsec/tyaa005 . ISSN 2057-2085.
↑ "NIST Releases Version 2.0 of Landmark Cybersecurity Framework".
↑ Justin Seitz (April 14, 2021). Black Hat Python: Python Programming for Hackers. No Starch Press. ISBN 978-1718501126.
↑ Shackelford, Scott J; Proia, Andrew A; Martell, Brenton; Craig, Amanda N (2015). "Toward a Global Cybersecurity Standard of Care?: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices". Texas International Law Journal. 50 (2/3): 305–355. SSRN 2446631. ProQuest 1704865080.
↑ "MAIN STREET Cybersecurity Act of 2017". congress.gov. Retrieved October 5, 2017.
↑ "NIST Small Business Cybersecurity Act of 2017". congress.gov. Retrieved October 5, 2017.
↑ "Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1" (Document). National Institute of Standards and Technology. April 16, 2018. doi: 10.6028/nist.cswp.04162018 .
↑ "Security Measures for "EO-Critical Software" Use". NIST. May 12, 2021.
↑ "The NIST Cybersecurity Framework 2.0". NIST. 2023. doi:10.6028/NIST.CSWP.29.ipd . Retrieved October 20, 2023.
↑ "Public Draft: The NIST Cybersecurity Framework 2.0" (PDF). NIST. Retrieved October 20, 2023.

External links

Official website
Harnessing the Power of the NIST Cybersecurity Framework
NISTIR 8374 (Draft): Cybersecurity Framework Profile for Ransomware Risk Management (Preliminary Draft)
Informative References Home
Derived Relationship Mapping
Informative Reference Catalog

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Gordon, Lawrence A; Loeb, Martin P; Zhou, Lei (January 1, 2020). "Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model". Journal of Cybersecurity. 6 (tyaa005). doi: 10.1093/cybsec/tyaa005 . ISSN 2057-2085.

[2] "Achieving Successful Outcomes With the NIST Cybersecurity Framework". GovLoop. February 13, 2019. Retrieved June 12, 2021.

[3] HealthITSecurity (February 10, 2016). "HIMSS: NIST Cybersecurity Framework Positive, Can Improve" . Retrieved August 2, 2016.

[4] "NIST Cybersecurity Framework".

[5] "Workshop plots evolution of NIST Cybersecurity Framework". FedScoop. April 7, 2016. Retrieved August 2, 2016.

[6] "NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds". Information Week Dark Reading. March 30, 2016. Retrieved August 2, 2016.

[7] Gordon, Lawrence A; Loeb, Martin P; Zhou, Lei (January 1, 2020). "Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model". Journal of Cybersecurity. 6 (1). doi: 10.1093/cybsec/tyaa005 . ISSN 2057-2085.

[8] "NIST Releases Version 2.0 of Landmark Cybersecurity Framework".

[9] Justin Seitz (April 14, 2021). Black Hat Python: Python Programming for Hackers. No Starch Press. ISBN 978-1718501126.

[10] Shackelford, Scott J; Proia, Andrew A; Martell, Brenton; Craig, Amanda N (2015). "Toward a Global Cybersecurity Standard of Care?: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices". Texas International Law Journal. 50 (2/3): 305–355. SSRN 2446631. ProQuest 1704865080.

[11] "MAIN STREET Cybersecurity Act of 2017". congress.gov. Retrieved October 5, 2017.

[12] "NIST Small Business Cybersecurity Act of 2017". congress.gov. Retrieved October 5, 2017.

[13] "Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1" (Document). National Institute of Standards and Technology. April 16, 2018. doi: 10.6028/nist.cswp.04162018 .

[14] "Security Measures for "EO-Critical Software" Use". NIST. May 12, 2021.

[15] "The NIST Cybersecurity Framework 2.0". NIST. 2023. doi:10.6028/NIST.CSWP.29.ipd . Retrieved October 20, 2023.

[16] "Public Draft: The NIST Cybersecurity Framework 2.0" (PDF). NIST. Retrieved October 20, 2023.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]