What is the Framework, and what is it designed to accomplish?
The NIST Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
Is my organization required to use the Framework?
No. Use of the Framework is voluntary.
Does it provide a recommended checklist of what all organizations should do?
The Framework is guidance. It should be customized by different sectors and individual organizations to best suit their risks, situations, and needs. Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework to achieve positive outcomes will vary. The Framework should not be implemented as an un-customized checklist or a one-size-fits-all approach for all critical infrastructure organizations.
Why should an organization use the Framework?
The Framework will help an organization to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to assure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity. By providing a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside the organization. That includes improving communications, awareness, and understanding between and among IT, planning, and operating units, as well as senior executives of organizations. Organizations also can readily use the Framework to communicate current or desired cybersecurity posture between a buyer or supplier.
When and how was the Framework developed?
Version 1.0 of the Framework was prepared by the National Institute of Standards and Technology (NIST) with extensive private sector input and issued in February 2014. The Framework was developed in response to Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, which was issued in 2013. Among other things, the EO directed NIST to work with industry leaders to develop the Framework. The Framework was developed in a year-long, collaborative process in which NIST served as a convener for industry, academia, and government stakeholders. That took place via workshops, extensive outreach and consultation, and a public comment process. NIST’s future Framework role is reinforced by the Cybersecurity Enhancement Act of 2014 (Public Law 113-274), which calls on NIST to facilitate and support the development of voluntary, industry-led cybersecurity standards and best practices for critical infrastructure. This collaboration continues as NIST works with stakeholders from across the country and around the world to raise awareness and encourage use of the Framework. The most recent version, Framework V1.1 was released on April 16, 2018 following a 45-day public comment period on the second draft of Framework V1.1.
What is the purpose of Executive Order 13636?
Executive Order 13636 outlines responsibilities for Federal Departments and Agencies to aid in Improving Critical Infrastructure Cybersecurity. In summary, it assigns these responsibilities and establishes the policy that, “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”
Who from the private sector helped to develop the Framework?As the Cybersecurity Framework v1.0 was being developed, thousands of people from diverse parts of industry, academia, and government participated in a host of workshops around the United States. During the course of this public development process, NIST received hundreds of detailed suggestions and comments in response to a request for information (RFI) and feedback on the public draft version of the Framework. NIST routinely engages industry through three primary activities. First, NIST continually and regularly engages in community outreach activities by attending and participating in meetings, events, and roundtable dialogs. Second, NIST solicits direct feedback from industry through requests for information (RFI), requests for comments (RFC), and through the NIST Framework team’s email (). Finally, NIST observes and monitors relevant resources and references published by government, academia, and industry.Still, many more individuals, organizations and industry stakeholders were directly involved and actively contributed to a series of regular workshops and public comment periods held throughout the process of updating the Framework. This effort culminated in the release of the Cybersecurity Framework Version 1.1. The Framework is a living document and will continue to be updated, improved and refined as industry provides feedback on implementation.
Why is NIST involved? What is NIST’s role in setting cybersecurity standards?
NIST is a federal agency within the United States Department of Commerce. NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. NIST is also responsible for establishing computer- and information technology-related standards and guidelines for federal agencies to use. Many private sector organizations have made widespread use of these standards and guidelines voluntarily for several decades, especially those related to information security.
How can we obtain NIST certification for our Cybersecurity Framework products/implementation?
NIST does not offer certifications or endorsement of Cybersecurity Framework implementations or Cybersecurity Framework-related products or services. NIST shares industry resources and success stories that demonstrate real-world application and benefits of the Framework. Sharing your own experiences and successes inspires new use cases and helps users more clearly understand Framework application and implementation. To contribute to these initiatives, contact .
