NIST Cybersecurity Framework explained

NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices.[1] The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes",[2] in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context.[3] It has been translated to many languages, and is used by several governments[4] and a wide range of businesses and organizations.[5] [6] [7]

A 2016 study found that 70% of organizations surveyed see the NIST Cybersecurity Framework as a popular best practice for computer security, but many note that it requires significant investment.[8]

Overview

The NIST Cybersecurity Framework is designed for individual businesses and other organizations to assess risks they face.

The NIST Cybersecurity Framework is deliberately designed to be expansive and adaptable. Essentially, it offers a high-level perspective on how organizations should tackle cybersecurity risk management, allowing individual companies to determine the specifics of implementing the framework.[9]

Version 1.0 was published by the US National Institute of Standards and Technology in 2014, originally aimed at operators of critical infrastructure. In 2017, a draft version of the framework, version 1.1, was circulated for public comment. Version 1.1 was announced and made publicly available on April 16, 2018. Version 1.1 is still compatible with version 1.0. Version 2.0 was published in 2024.[10]

The changes include guidance on how to perform self-assessments, additional detail on supply chain risk management, guidance on how to interact with supply chain stakeholders, and encourages a vulnerability disclosure process.

The framework is divided into three parts, "Core", "Profile" and "Tiers". The "Framework Core" contains an array of activities, outcomes and references about aspects and approaches to cybersecurity. The "Framework Implementation Tiers" are used by an organization to clarify for itself and its partners how it views cybersecurity risk and the degree of sophistication of its management approach.[11] A "Framework Profile" is a list of outcomes that an organization has chosen from the categories and subcategories, based on its needs and risk assessments.

An organization typically starts by using the framework to develop a "Current Profile" which describes its cybersecurity activities and what outcomes it is achieving. It can then develop a "Target Profile", or adopt a baseline profile tailored to its sector (e.g. infrastructure industry) or type of organization. It can then define steps for switching from its current profile to its target profile.

Recent research has indicated that the NIST has the ability to shape standards of cybersecurity for infrastructure firms and the private sector, especially given that standards for cybersecurity have not yet been defined. Research has also shown the potential for NIST to have an impact internationally on cybersecurity beyond just the United States, which could create a better standard and help businesses that operate across borders, and lead to more cyber peace.[12]

Functions and categories of cybersecurity activities

The NIST Cybersecurity Framework organizes its "core" material into five "functions" which are subdivided into a total of 23 "categories". For each category, it defines a number of subcategories of cybersecurity outcomes and security controls, with 108 subcategories in all.

For each subcategory, it also provides "Informative Resources" referencing specific sections of a variety of other information security standards, including ISO 27001, COBIT, NIST SP 800-53, ANSI/ISA-62443, and the Council on CyberSecurity Critical Security Controls (CCS CSC, now managed by the Center for Internet Security). Special Publications (SP) aside, most of the informative references requires a paid membership or purchase to access their respective guides. The cost and complexity of the framework has resulted in bills from both houses of Congress that direct NIST to create Cybersecurity Framework guides that are more accessible to small and medium businesses.[13] [14]

Here are the functions and categories, along with their unique identifiers and definitions, as stated in the framework document.[15]

Identify

"Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities."

Protect

"Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services."

Detect

"Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event."

Respond

"Develop and implement the appropriate activities to take action regarding a detected cybersecurity incident."

Recover

"Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident."

Online Informative References

In addition to informative references in the framework's core, NIST also maintains an online database of informative references.[16] Informative References show relationships between Framework Functions, Categories, and Subcategories and specific sections of standards, guidelines, and best practices common among Framework stakeholders. Informative References illustrate ways to achieve Framework outcomes.

Updates

In 2021 NIST released Security Measures for "EO-Critical Software" Use Under Executive Order (EO) 14028 to outline security measures intended to better protect the use of deployed EO-critical software in agencies’ operational environments.[17]

Journey to CSF 2.0

The NIST Cybersecurity Framework is meant to be a living document, meaning it will be updated and improved over time to keep up with changes in technology and cybersecurity threats, as well as to integrate best-practices and lessons learned. Since releasing version 1.1 in 2018, stakeholders have provided feedback that the CSF needed to be updated. In February 2022, NIST released a request for information on ways to improve the CSF, and released a subsequent concept paper in January of 2023 with proposed changes. Most recently, NIST released its Discussion Draft: The NIST Cybersecurity Framework 2.0 Core with Implementation Examples and has requested public comments be submitted by November 4, 2023. [18]

Main Changes

The following is a list of the major changes to the framework from version 1.1 to 2.0:[19]

  1. The title of the framework has changed from "Framework for Improving Critical Infrastructure Cybersecurity" to "Cybersecurity Framework". The scope of the framework has been updated to reflect the large population of organizations that use the framework.
    1. Implementation examples have been added to provide practical and action-oriented processes to help users achieve the CSF subcategories. Additionally, the framework Profiles have been revised and expanded to demonstrate the various purposes of the profiles.
    2. A new Function, Govern, has been added to provide organizational context and the roles and responsibilities associated with developing a cybersecurity governance model. There is also an additional category in this Function focused on cybersecurity supply chain risk management.
    3. The latest update also provides greater information on cybersecurity assessments by placing greater importance on the continuous improvement of security through a new Improvement Category in the Identify Function.

See also

External links

Cybersecurity Framework Profile for Ransomware Risk Management (Preliminary Draft)

Notes and References

  1. Gordon. Lawrence A. Loeb. Martin P. Zhou. Lei. 2020-01-01. Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model. Journal of Cybersecurity. 6. tyaa005. 10.1093/cybsec/tyaa005. 2057-2085. free.
  2. Web site: Achieving Successful Outcomes With the NIST Cybersecurity Framework. 2021-06-12. GovLoop. February 13, 2019 . en-US.
  3. Web site: HIMSS: NIST Cybersecurity Framework Positive, Can Improve. HealthITSecurity. February 10, 2016. 2016-08-02.
  4. Web site: NIST Cybersecurity Framework.
  5. Web site: Workshop plots evolution of NIST Cybersecurity Framework. FedScoop. April 7, 2016. 2016-08-02.
  6. Web site: NIST Cybersecurity Framework Updates, Clarification Underway. HealthITSecurity. June 10, 2016. 2016-08-02.
  7. Web site: Why you should adopt the NIST Cybersecurity Framework. PricewaterhouseCoopers. 2016-08-04.
  8. Web site: NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds. March 30, 2016. Information Week Dark Reading. 2016-08-02.
  9. Gordon . Lawrence A . Loeb . Martin P . Zhou . Lei . 2020-01-01 . Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model . Journal of Cybersecurity . 6 . 1 . 10.1093/cybsec/tyaa005 . 2057-2085. free .
  10. Web site: NIST Releases Version 2.0 of Landmark Cybersecurity Framework .
  11. Book: Black Hat Python: Python Programming for Hackers. Justin Seitz. 2021-04-14. 978-1718501126. No Starch Press.
  12. Shackelford . Scott J . Proia . Andrew A . Martell . Brenton . Craig . Amanda N . Toward a Global Cybersecurity Standard of Care?: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices . Texas International Law Journal . 50 . 2/3 . 2015 . 305–355 . . 2446631 .
  13. Web site: MAIN STREET Cybersecurity Act of 2017. congress.gov. October 5, 2017.
  14. Web site: NIST Small Business Cybersecurity Act of 2017. congress.gov. October 5, 2017.
  15. Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 . 16 April 2018 . National Institute of Standards and Technology . 10.6028/nist.cswp.04162018 . free .
  16. Informative References. 2017-11-27. NIST. en. 2020-04-17.
  17. Security Measures for "EO-Critical Software" Use. NIST . 2021-05-12.
  18. The NIST Cybersecurity Framework 2.0 . NIST . 2023 . 10.6028/NIST.CSWP.29.ipd . 20 October 2023.
  19. Web site: Public Draft: The NIST Cybersecurity Framework 2.0 . NIST . 20 October 2023.