National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

What Is the NIST Cybersecurity Framework?

NIST is the National Institute of Standards and Technology, a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards. The NIST Cybersecurity Framework CSF is a voluntary framework that provides guidance for managing cybersecurity risk based on existing standards, guidelines, and practices. Although primarily intended for US critical infrastructure organizations, the Framework is flexible enough to be used by any organization anywhere globally.

The Cybersecurity Framework (CSF) is a set of cybersecurity best practices and recommendations from the National Institute of Standards and Technology (NIST). The CSF makes it easier to understand cyber risks and improve your defenses. Organizations around the world use it to make better risk-based investment decisions. 

What is NIST?

Founded in 1901, NIST is an agency of the U.S. Department of Commerce. It advances measurement science, standards, and technology to improve our quality of life. NIST has provided important computer security guidance for many decades.

Why is the CSF important?

There are many cyber best practices available, but they are long and difficult to understand. The CSF makes cyber-risk management easier, so that you can take the right action right away. It also simplifies the language of cybersecurity so that everyone can understand–both inside and outside your organization.

What makes the CSF easy to use?

The CSF uses a simple structure with just five key functions: Identify, Protect, Detect, Respond, and Recover. Each function uses clear, outcome-based language without extensive technical detail. The CSF also outlines a simple process to help improve your cybersecurity program.

Is the CSF a compliance mandate?

No, the CSF is not a compliance mandate. It is a voluntary, flexible framework available for everyone to use and customize to their unique needs.

Who uses the CSF?

The NIST CSF was originally intended for use by critical infrastructure sectors like healthcare, utilities, and manufacturers. That’s why its official title is the Framework for Improving Critical Infrastructure Cybersecurity. But organizations of all sizes, all around the world have recognized its value and adopted the framework.

Core functions of the NIST CSF

The CSF contains three key components: the core, the implementation tiers, and the profiles.

The core

The core is a set of activities, outcomes, and references that detail approaches to aspects of cybersecurity. The core has four elements: functions, categories, subcategories, and informative references. Each function is divided into categories, which are the activities necessary to fulfill each function. These might include asset management, risk assessment, awareness and training, and detection processes. Subcategories further subdivide categories, describing specific results of these activities that are necessary to fulfill each category. Finally, informative references specify sources of best practice from a range of publications, including standards and guidelines.

Identify: Identify potential cybersecurity risks to your information assets

The Identify function helps you to develop an overall risk management approach to cybersecurity. It helps you understand your critical assets, business environment, governance model, and supply chain.  

Protect: Protect yourself against these risks by developing and implementing safeguards

Protect helps you put important defensive controls in place based on your critical assets, risk tolerance, and other input from the Identify function. Protect highlights the importance of managing identities, securing access, protecting data, and training users.  

Detect: Detect any irregular activity to determine if breaches have occurred

When you are under attack, you may not always know right away. The Detect function shortens the time to discovery by spotting anomalies, investigating events, continuously monitoring, and other detection processes.  

Respond: Respond to any detected breaches to contain their impact

When you know you are under attack, you have to act fast. Respond helps you take the right action immediately through incident response planning, analysis, mitigation, communication, and ongoing improvement.  

Recover: Recover from these breaches by restoring any undermined assets

And once you have stopped the attack, you need to get back to normal. The Recover function helps you restore operations through recovery planning, continuous improvement, and communications.

Framework Implementation Tiers

Framework Implementation Tiers describe the sophistication of the organization’s cybersecurity measures based on its risk management process, integrated risk management program, and external participation in risk management. The four tiers are partial, risk-informed, repeatable, and adaptive. 

The Current profile

The current profile is a picture of an organization’s ongoing cybersecurity activities and their outcomes. It is an opportunity for an organization to establish its current cybersecurity activities. The current profile can also effectively communicate the organization’s cybersecurity posture internally or with external partners.

The Target profile

The target profile describes the organization’s intended destination for cybersecurity risk management activities. These destinations are strongly tied to the organization’s legal and regulatory requirements, contractual obligations, and business objectives.

Source: What is the NIST Cybersecurity Framework (CSF)? | IT Governance USA

History and Creation of the Framework

Overview

This online learning module provides readers with insight into how the NIST Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”) was created, describes some of the major milestones during creation, and explains the goals for creating the Framework.

Improving Critical Infrastructure Cybersecurity

The Framework development process initiated with Executive Order 13636, which was released on February 12, 2013.  The Executive Order introduced efforts on the sharing of cybersecurity threat information, and on building a set of current and successful approaches, a framework, for reducing risks to critical infrastructure. Through this Executive Order, NIST was tasked with the development of a “Cybersecurity Framework”

Whitehouse

Executive Order 13636
February 12, 2013

“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties”

The Executive Order established the following requirements for the Framework that NIST used as design criteria:

  • Identify security standards and guidelines applicable across sectors of critical infrastructure
  • Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach
  • Help owners and operators of critical infrastructure identify, assess, and manage cyber risk
  • Enable technical innovation and account for organizational differences
  • Provide guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services
  • Include guidance for measuring the performance of implementing the Cybersecurity Framework
  • Identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations

Why NIST?

NIST was selected for the task of developing the Framework because they are a non-regulatory federal agency that acts as an unbiased source of scientific data and practices, including cybersecurity practices. NIST’s mission is to promote U.S. innovation and industrial competitiveness.  NIST has a long history of successfully addressing critical national issues through partnerships with industry, academia, and other government agencies.  This kind of collaboration would be critical for the Framework to be successful. 

Creating the Framework

The Framework was, and continues to be, developed and promoted through ongoing engagement with, and input from, stakeholders in government, industry, and academia. To develop the Framework, over the course of a year, NIST used a Request for Information (RFI) and Request for Comment (RFC), as well as extensive outreach and five workshops around the country to: (i) identify existing cybersecurity standards, guidelines, frameworks, and best practices that were applicable to increase the security of critical infrastructure sectors and other interested entities; (ii) specify high-priority gaps for which new or revised standards were needed; and (iii) collaboratively develop action plans by which these gaps could be addressed.

Framework Creation Events & Timeline

Below are a some of the major milestones in the public-private partnership which led to the creation of the Framework.

Executive Order 13636 – Feb 12, 2013

Executive Order 13636 was signed by President Obama on February 12, 2013. As described above, the Executive Order outlined several objectives for establishing a cybersecurity framework to help protect the nations critical infrastructure. The Executive Order also requested the framework be developed with support from industry and academia and published within one-year of the Executive Order’s signing.

RFI – Developing a Framework to Improve Critical Infrastructure Cybersecurity  – February 26, 2013

Shortly after the release of Executive Order 13636, NIST released the first in a series of Requests for Information (RFIs) on February 26, 2013. The primary objectives for the initial RFI was to collect lessons learned from industry by understanding which standards were being used, and how effective these standards were in improving cybersecurity across industries. During the comment period ending on April 8, 2013, NIST received over 270 responses to the RFI and analyzed them to develop the agenda for the 2nd Cybersecurity Framework workshop.

1st Cybersecurity Framework Workshop  – April 3, 2013

The First Framework Workshop was held as an online-only broadcast from the Department of Commerce in Washington D.C.  The purpose of this workshop was primarily to gather industry interest, raise awareness of the Framework endeavor, and to provide insight into the collaborative Framework development process that was just getting started.  At this Workshop, the primary topics included discussions about the Executive Order 13636, the goals in the development of the Framework, and to reaffirm the collaborative process that would be used to create the Framework.  At this event, NIST announced a series of collaborative, in-person, workshops all across the country.

2nd Cybersecurity Framework Workshop  – May 29-31, 2013

This workshop, along with the following workshops that led up to the Framework’s release, were strategically held in locations around the US to help promote attendance by as many participants across as many critical infrastructure sectors as possible. Each of these workshops were also webcast live, and recorded, to allow remote attendees to view and participate.  This workshop was held at Carnegie Mellon University in Pittsburg, PA. The agenda for the workshop was developed based on the analysis of the first RFI, with the goal to further refine and clarify information received. The workshop was held across three days and included several simultaneous tracks on specific topics uncovered during the RFI to facilitate the data collection activities. NIST facilitated the workshops to encourage dialogue and debate across a wide range of security topics. Through these discussions, NIST was able to gain a clearer understanding from industry of what was working well, where additional guidance was needed, and which topics should be avoided in the Framework. Following the workshops, NIST analyzed the information presented and developed summary papers describing their take-away from the workshops. The summaries were then shared back with industry and used to create the Preliminary Cybersecurity Framework draft.

Preliminary Cybersecurity Framework Released  – July 1, 2013

The Preliminary Cybersecurity Framework captured the information received from the initial RFI and the previous workshop. It presented the information in a standardized format to allow NIST to clearly articulate to industry how they were capturing their thoughts and comments. NIST released the preliminary draft on July 1, 2013 in preparation for the third workshop held on July 10 -12, 2013.

3rd Cybersecurity Framework Workshop  – July 10-12, 2013

The Third Framework Workshop was held at the University of California in San Diego, CA on July 10-12, 2013. At this workshop, the agenda heavily focused on working sessions to discuss the Preliminary Cybersecurity Framework and what should be included moving forward.  NIST received a great deal of input on what participants wanted to see included in the Categories and Subcategories of the Framework, how levels of Framework implementation should be determined, and how Informative References should be included in the Core. NIST analyzed this information, shared the key take-aways with participants, and used it to create the next iteration of the Draft Framework.

Discussion Draft of Preliminary Cybersecurity Framework Released  – August 28, 2013

NIST greatly expanded upon the material that was included in the 1st Preliminary Framework Draft by folding in the comments and information gathered in the previous workshop.  The Draft Framework grew from being an annotated outline, to being a fully drafted document. NIST included a 5-step process for implementation and fleshed out the Framework core with a number of Categories, Subcategories, and Informative References.

4th Cybersecurity Framework Workshop – September 11-13, 2013

The Fourth Workshop was held at the University of Texas at Dallas in Richardson, TX on September 11-13, 2013.  Before this workshop, participants were asked to have reviewed the latest draft of the Framework, as it was the focus of the agenda.  Again, this workshop heavily concentrated on working sessions that split the participants into small groups to discuss their feedback about the Discussion Draft of the Framework.  NIST received feedback that included the need for additional clarification around the Framework Core, Tier, and Profile integration, expressing the Core in terms of outcomes, and a variety of other areas of the Draft Framework that needed improvements.

RFC – Comments on the Preliminary Cybersecurity Framework  – October 29, 2013

On October 29, 2013 NIST released an RFC seeking comments on the latest version of the Preliminary Framework Draft. Over the 45-day comment period, ending on December 13, 2013, NIST received over 200 comments.  These comments, along with those received during the 5th Framework Workshop, heavily influenced the version 1.0 Framework publication.

5th Cybersecurity Framework Workshop  – November 14-15, 2013

The Fifth Workshop was held at North Carolina State University in Raleigh, NC on November 14-15, 2013. During this Workshop, specific breakout sessions were held for small and medium business, how the Framework could be used, and a voluntary critical infrastructure cybersecurity program. These breakout sessions, as well as others held during the workshop, allowed participants to openly discuss the preliminary draft and provide recommendations for enhancements that should be considered before NIST published the Framework. As with all preceding workshops, NIST summarized the key points collected during the workshop as closing remarks to the workshop and then took the information collected during the workshop, along with comments received through the RFC, to finalize version 1.0 of the Framework.

Framework 1.0 Publication – February 12, 2014

One year after the release of Executive Order 13636, on February 12, 2014, NIST released version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity. The Framework was released as voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk. The Framework captured key points received from the RFIs and workshops held during its collaborative development process. The Framework incorporates comments from over 3,000 workshop attendees and 15,000 comments received during its development. While the release of Framework v1.0 was a significant milestone, NIST did not stop coordinating with industry following its release. NIST, to this day, continues community outreach activities as well as active dialogue with industry though industry workshops and continued Framework workshops.

For additional details regarding these milestones and the progress that has been made since the Framework’s initial release, including Framework v1.1, see The Evolution of the Framework.

To learn more about the completed Framework see Components of the Framework and Uses and Benefits of the Framework.

Source: https://www.nist.gov/cyberframework/online-learning/history-and-creation-framework