Remove ads
U.S. government-sponsored framework of cybersecurity From Wikipedia, the free encyclopedia
The NIST Cybersecurity Framework (CSF) is a set of voluntary guidelines designed to help organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks. Developed by the U.S. National Institute of Standards and Technology (NIST), the framework was initially published in 2014 for critical infrastructure sectors but has since been widely adopted across various industries, including government and private enterprises globally. The framework integrates existing standards, guidelines, and best practices to provide a structured approach to cybersecurity risk management.
The CSF is composed of three primary components: the Core, Implementation Tiers, and Profiles. The Core outlines five key cybersecurity functions—Identify, Protect, Detect, Respond, and Recover—each of which is further divided into specific categories and subcategories. These functions offer a high-level, outcome-driven approach to managing cybersecurity risks. The Implementation Tiers help organizations assess the sophistication of their cybersecurity practices, while the Profiles allow for customization based on an organization's unique risk profile and needs.
Since its inception, the CSF has undergone several updates to reflect the evolving nature of cybersecurity. Version 1.1, released in 2018, introduced enhancements related to supply chain risk management and self-assessment processes. The most recent update, Version 2.0, was published in 2024, expanding the framework’s applicability and adding new guidance on cybersecurity governance and continuous improvement practices.
The NIST Cybersecurity Framework is used internationally and has been translated into multiple languages. It serves as a benchmark for cybersecurity standards, helping organizations align their practices with recognized global standards, such as ISO/IEC 27001 and COBIT. While widely praised, the framework has been criticized for the cost and complexity involved in its implementation, particularly for small and medium-sized enterprises.
The NIST Cybersecurity Framework (CSF) is a set of guidelines developed by the U.S. National Institute of Standards and Technology (NIST) to help organizations manage and mitigate cybersecurity risks. It draws from existing standards, guidelines, and best practices to provide a flexible and scalable approach to cybersecurity.[1] The framework provides a high-level taxonomy of cybersecurity outcomes and offers a methodology for assessing and managing those outcomes.[2] Additionally, it addresses the protection of privacy and civil liberties in a cybersecurity context.[3]
The CSF has been translated into multiple languages and is widely used by governments, businesses, and organizations across various sectors.[4][5] According to a 2016 survey, 70% of organizations view the NIST Cybersecurity Framework as a best practice for computer security, though some have noted that implementation can require significant investment.[6]
The framework is designed to be flexible and adaptable, providing high-level guidance that allows individual organizations to determine the specifics of implementation based on their unique needs and risk profiles.[7]
Version 1.0 of the framework was published in 2014, primarily targeting operators of critical infrastructure. A public draft of Version 1.1 was released for comment in 2017, and the final version was published on April 16, 2018. Version 1.1 retained compatibility with the original framework while introducing additional guidance on areas such as supply chain risk management. Version 2.0, released in 2024, further expanded the framework's scope and introduced new guidelines on self-assessment and cybersecurity governance.[8]
The framework consists of three main components: the "Core," "Profiles," and "Tiers." The Core provides a comprehensive set of activities, outcomes, and references related to various aspects of cybersecurity. The Implementation Tiers help organizations assess their cybersecurity practices and sophistication, while the Profiles allow organizations to tailor the framework to their specific requirements and risk assessments.[9]
Organizations typically start by developing a "Current Profile" to describe their existing cybersecurity practices and outcomes. From there, they can create a "Target Profile" to outline the desired future state and define the steps needed to achieve it. Alternatively, organizations can adopt a baseline profile based on their sector or specific industry needs.
Research indicates that the NIST Cybersecurity Framework has the potential to influence cybersecurity standards both within the United States and internationally, particularly in sectors where formal cybersecurity standards are still emerging. This influence could foster better international cybersecurity practices, benefiting businesses that operate across borders and contributing to global cybersecurity efforts.[10]
The NIST Cybersecurity Framework organizes its "core" material into five "functions" which are subdivided into a total of 23 "categories". For each category, it defines a number of subcategories of cybersecurity outcomes and security controls, with 108 subcategories in all.
For each subcategory, it also provides "Informative Resources" referencing specific sections of a variety of other information security standards, including ISO 27001, COBIT, NIST SP 800-53, ANSI/ISA-62443, and the Council on CyberSecurity Critical Security Controls (CCS CSC, now managed by the Center for Internet Security). Special Publications (SP) aside, most of the informative references requires a paid membership or purchase to access their respective guides. The cost and complexity of the framework has resulted in bills from both houses of Congress that direct NIST to create Cybersecurity Framework guides that are more accessible to small and medium businesses.[11][12]
Here are the functions and categories, along with their unique identifiers and definitions, as stated in the framework document.[13]
"Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities."
"Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services."
"Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event."
"Develop and implement the appropriate activities to take action regarding a detected cybersecurity incident."
"Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident."
In 2021 NIST released Security Measures for "EO-Critical Software" Use Under Executive Order (EO) 14028 to outline security measures intended to better protect the use of deployed EO-critical software in agencies’ operational environments.[14]
The NIST Cybersecurity Framework is meant to be a living document, meaning it will be updated and improved over time to keep up with changes in technology and cybersecurity threats, as well as to integrate best-practices and lessons learned. Since releasing version 1.1 in 2018, stakeholders have provided feedback that the CSF needed to be updated. In February 2022, NIST released a request for information on ways to improve the CSF, and released a subsequent concept paper in January of 2023 with proposed changes. Most recently, NIST released its Discussion Draft: The NIST Cybersecurity Framework 2.0 Core with Implementation Examples and has requested public comments be submitted by November 4, 2023. [15]
The following is a list of the major changes to the framework from version 1.1 to 2.0:[16]
Seamless Wikipedia browsing. On steroids.
Every time you click a link to Wikipedia, Wiktionary or Wikiquote in your browser's search results, it will show the modern Wikiwand interface.
Wikiwand extension is a five stars, simple, with minimum permission required to keep your browsing private, safe and transparent.