What is the relationship between the Cybersecurity Framework and the NICE Cybersecurity Workforce Framework?
Workforce plays a critical role in managing cybersecurity, and many of the Cybersecurity Framework outcomes are focused on people and the processes those people perform. While some outcomes speak directly about the workforce itself (e.g., roles, communications, training), each of the Core subcategory outcomes is accomplished as a task (or set of tasks) by someone in one or more work roles. One could easily append the phrase “by skilled, knowledgeable, and trained personnel” to any one of the 108 subcategory outcomes. From this perspective, the Cybersecurity Framework provides the “what” and the NICE Framework provides the “by whom.”
While the Cybersecurity Framework and the NICE Framework were developed separately, each complements the other by describing a hierarchical approach to achieving cybersecurity goals.
The Cybersecurity Workforce Framework was developed and is maintained by the National Initiative for Cybersecurity Education (NICE), a partnership among government, academia, and the private sector with a mission to energize and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development. Where the Cybersecurity Framework provides a model to help identify and prioritize cybersecurity actions, the NICE Framework (NIST Special Publication 800-181) describes a detailed set of work roles, tasks, and knowledge, skills, and abilities (KSAs) for performing those actions.
The NIST Roadmap for Improving Critical Infrastructure Cybersecurity, a companion document to the Cybersecurity Framework, reinforces the need for a skilled cybersecurity workforce. It recognizes that, as cybersecurity threat and technology environments evolve, the workforce must adapt in turn. The NICE program supports this vision and includes a strategic goal of helping employers recruit, hire, develop, and retain cybersecurity talent. One objective within this strategic goal is to publish and raise awareness of the NICE Framework and encourage adoption. Adoption, in this case, means that the NICE Framework is used as a reference resource for actions related to cybersecurity workforce, training, and education.
What is the relationship between the Cybersecurity Framework and the NIST Privacy Framework?
NIST modeled the development of the Privacy Framework on the successful, open, transparent, and collaborative approach used to develop the Cybersecurity Framework. While good cybersecurity practices help manage privacy risk by protecting information, those cybersecurity measures alone are not sufficient to address the full scope of privacy risks that also arise from how organizations collect, store, use, and share this information to meet their mission or business objective, as well as how individuals interact with products and services.
During the development process, numerous stakeholders requested alignment with the structure of the Cybersecurity Framework so the two frameworks could more easily be used together. In response to this feedback, the Privacy Framework follows the structure of the Cybersecurity Framework, composed of three parts: the Core, Profiles, and Implementation Tiers.
This structure enables a risk- and outcome-based approach that has contributed to the success of the Cybersecurity Framework as an accessible communication tool. In addition, the alignment aims to reduce complexity for organizations that already use the Cybersecurity Framework.
Details about how the Cybersecurity Framework and Privacy Framework functions align and intersect can be found in the Privacy Framework FAQs.
What is the relationship between the Framework and the DHS Critical Infrastructure Cyber Community (C3) Voluntary Program?
EO 13636 directed the National Institute of Standards and Technology to work with industry to develop a framework for reducing cybersecurity risks. The EO also charged the Department of Homeland Security with developing a voluntary program to promote use of the Framework and help critical infrastructure organizations improve their cybersecurity. In February 2014, DHS launched the Critical Infrastructure Cyber Community (C3, pronounced “C-Cubed”) Voluntary Program. The C3 Voluntary Program helps align critical infrastructure owners and operators with existing resources to assist in their efforts to use the Framework and manage their cybersecurity risks. More information about the C3 Voluntary Program may be found on the DHS Web site.
What is the relationship between the Framework and the DHS Cyber Resilience Review?
A description of the relationship between the DHS Cyber Resilience Review (CRR) and the Cybersecurity Framework can be found at the DHS Web site.
Is the Framework being aligned with international cybersecurity initiatives and standards?
While the Framework was born through U.S. policy, it is not a “U.S. only” Framework. Private sector stakeholders made it clear from the outset that global alignment is important to avoid confusion and duplication of effort, or even conflicting expectations in the global business environment. These needs have been reiterated by multi-national organizations. The importance of international standards organizations and trade associations for acceptance of the Framework’s approach has been widely recognized. Some countries and international entities are adopting approaches that are compatible with the framework established by NIST, and others are considering doing the same. The Framework has been translated into several other languages. NIST has been holding regular discussions with many nations and regions, and making noteworthy internationalization progress. NIST is actively engaged with international standards-developing organizations to promote adoption of approaches consistent with the Framework.
What is the relationship between the Framework and NIST’s Cyber-Physical Systems (CPS) Framework?
The Cybersecurity Framework provides the underlying cybersecurity risk management principles that support the new Cyber-Physical Systems (CPS) Framework. The CPS Framework document is intended to help manufacturers create new CPS that can work seamlessly with other smart systems that bridge the physical and computational worlds.
The CPS Framework includes a structure and analysis methodology for CPS. The goal of the CPS Framework is to develop a shared understanding of CPS, its foundational concepts and unique dimensions, promoting progress through the exchange of ideas and integration of research across sectors and to support development of CPS with new functionalities.
What is the relationships between Internet of Things (IoT) and the Framework? Do we need an ‘IoT Framework?’
The Cybersecurity Framework is applicable to many different technologies, including Internet of Things (IoT) technologies. Developing separate frameworks of cybersecurity outcomes specific to IoT might risk losing a critical mass of users aligning their cybersecurity outcomes to the Cybersecurity Framework. To retain that alignment, NIST recommends continued evaluation and evolution of the Cybersecurity Framework to make it even more meaningful to IoT technologies. NIST welcomes observations from all parties regarding the Cybersecurity Framework’s relevance to IoT, and will vet those observations with the NIST Cybersecurity for IoT Program.
What is the relationship between the Framework and the Baldrige Cybersecurity Excellence Builder?
The Baldrige Cybersecurity Excellence Builder blends the systems perspective and business practices of the Baldrige Excellence Framework with the concepts of the Cybersecurity Framework. More specifically, the Cybersecurity Framework aligns organizational objectives, strategy, and policy landscapes into a cohesive cybersecurity program that easily integrates with organizational enterprise risk governance. These Cybersecurity Framework objectives are significantly advanced by the addition of the time-tested and trusted systems perspective and business practices of the Baldrige Excellence Framework. The builder responds to requests from many organizations to provide a way for them to measure how effectively they are managing cybersecurity risk.
What is the relationship between threat and cybersecurity frameworks?
Threat frameworks are particularly helpful understanding current or potential attack lifecycle stages of an adversary against a given system, infrastructure, service, or organization. They characterize malicious cyber activity, and possibly related factors such as motive or intent, in varying degrees of detail. Threat frameworks stand in contrast to the controls of cybersecurity frameworks that provide safeguards against many risks, including the risk that adversaries may attack a given system, infrastructure, service, or organization. While NIST has not promulgated or adopted a specific threat framework, we advocate the use of both types of frameworks as tools to make risk decisions and evaluate the safeguards thereof. In particular, threat frameworks may provide insights into which safeguards are more important at this instance in time, given a specific threat circumstance. As circumstances change and evolve, threat frameworks provide the basis for re-evaluating and refining risk decisions and safeguards using a cybersecurity framework. A threat framework can standardize or normalize data collected within an organization or shared between them by providing a common ontology and lexicon.
Example threat frameworks include the U.S. Office of the Director of National Intelligence (ODNI) Cyber Threat Framework (CTF), Lockheed Martin’s Cyber Kill Chain®, and the Mitre Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) model. Each threat framework depicts a progression of attack steps where successive steps build on the last step. At the highest level of the model, the ODNI CTF relays this information using four Stages – Preparation, Engagement, Presence, and Consequence. These Stages are de-composed into a hierarchy of Objectives, Actions, and Indicators at three increasingly-detailed levels of the CTF, empowering professionals of varying levels of understanding to participate in identifying, assessing, managing threats. This property of CTF, enabled by the de-composition and re-composition of the CTF structure, is very similar to the Functions, Categories, and Subcategories of the Cybersecurity Framework. In its simplest form, the five Functions of Cybersecurity Framework – Identify, Protect, Detect, Respond, and Recover – empower professionals of many disciplines to participate in identifying, assessing, and managing security controls. It is recommended that organizations use a combination of cyber threat frameworks, such as the ODNI Cyber Threat Framework, and cybersecurity frameworks, such as the Cybersecurity Framework, to make risk decisions.
What is the difference between a translation and adaptation of the Framework?
A translation is considered a direct, literal translation of the language of Version 1.0 or 1.1 of the Framework. No content or language is altered in a translation. Current translations can be found on the International Resources page.
An adaptation is considered a version of the Framework that substantially references language and content from Version 1.0 or 1.1 but incorporates new, original content. An adaptation can be in any language. Current adaptations can be found on the International Resources page.
What is the relationship between the PNT Cybersecurity Profile and the Cybersecurity Framework?
The Positioning, Navigation, and Timing (PNT) Profile was created using the NIST Cybersecurity Framework and can be applied as part of a risk management program to help organizations manage risks to systems, networks, and assets that use PNT services. The PNT Profile is broadly applicable and can serve as a foundation for the development of sector-specific guidance. It provides a flexible framework for users to manage risks when forming and using PNT signals and data, which are susceptible to disruptions and manipulations that can be natural, manufactured, intentional, or unintentional.
The PNT Profile is intended to be implemented within the larger context of an organization that is developing and executing its own cybersecurity program. It is best implemented if a cybersecurity program is in place at the organizational level. However, that does not preclude any organization from implementing the PNT Profile even if a cybersecurity program is not yet in place.
The Cybersecurity Framework Core Functions and guidance in the PNT Profile address the generic needs of PNT users in critical infrastructure that depend on PNT services to meet their business objectives. In order to support a risk-based, practical, and effective approach to the responsible use of PNT, organizations can select, tailor, and augment the security controls defined in PNT references. For detailed information about how the Cybersecurity Framework was used to develop the PNT Profile, see