The NIST Cybersecurity Framework was released in February 2014 as voluntary guidance, based on existing standards and practices for critical infrastructure, for organizations to improve security risk management. It is widely considered the gold standard for building cybersecurity programs and is a scalable and customizable approach that can work in organizations of any size across various industries.
The Framework covers 23 categories and 108 security controls, organizing cybersecurity capabilities into 5 core functions:
Identify—Assess and uncover cybersecurity risks to systems, assets, data, and capabilities. This includes categories such as asset management, business environment, risk assessment, and supply chain risk management.
Protect—Develop and implement safeguards and controls to ensure delivery of critical infrastructure services. This includes categories such as identity management, authentication and access control, and data security.
Detect—Develop activities and controls to monitor and detect cybersecurity events. This includes categories such as anomalies and events, security continuous monitoring, and detection processes.
Respond—Develop techniques to control and mitigate cybersecurity incidents. This includes response planning, communications, analysis, mitigation, and improvements.
Recovery—Develop and implement processes to restore capabilities. This includes response planning, improvements, and communications.
The CSF can help businesses address key security challenges in their organizations, such as:
- Uncovering hidden risks and vulnerabilities
- Leveraging the right tools and resources to address risks
- Prioritizing risks to focus on critical threats
- Understanding which assets need protection
According to NIST, “The [Cybersecurity] Framework not only helps organizations understand their cybersecurity risks (threats, vulnerabilities, and impacts) but how to reduce these risks with customized measures. The Framework also helps them respond to and recover from cybersecurity incidents, prompting them to analyze root causes and consider how they can make improvements.”
Developing the CSF
NIST developed the Framework for Improving Critical Infrastructure Cybersecurity (aka the Cybersecurity Framework or CSF) following Executive Order 13636 in February 2013. The Executive Order by then-President Obama introduced efforts to share cybersecurity threat information and create a systematic approach to reducing risks to critical infrastructure.
NIST was tasked with several requirements, including:
- Identifying security standards applicable across sectors of critical infrastructure
- Providing a flexible, repeatable, and cost-effective approach
- Helping critical infrastructure operators to identify, assess, and manage cyber risk
- Enabling technical innovation while accounting for organizational differences
To meet these goals, NIST solicited input from stakeholders across government, industry, and academia. Over the course of a year, NIST sent out a Request for Information and Request for Comment to:
- Identify existing cybersecurity standards and best practices.
- Specify critical gaps in current security approaches and the required revised standards.
- Outline action plans to address these gaps.
Thousands of stakeholders contributed to the framework’s development and design. This is one reason the CSF is so valuable. The decentralized, collaborative approach helped NIST create a comprehensive framework that is both rigorous and flexible to the needs of diverse industries and organizations.