What is the NIST Cybersecurity Framework?
The National Institute of Standards and Technology, usually called NIST, is an agency that is part of the U.S. Department of Commerce. One of the many roles of NIST is to provide guidelines on cybersecurity for information systems.
The cornerstone of this work is the NIST Cybersecurity Framework, which was released in 2014 under an executive order from President Barack Obama. A subsequent executive order, issued in 2017 by President Donald Trump, made compliance with the NIST Cybersecurity Framework mandatory for all federal government agencies and all entities in their supply chain.
“To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”
-the NIST mission
The NIST Cybersecurity Framework was initially created in 2004 to improve the security of U.S. critical infrastructures, defined as the assets, systems, and functions deemed vital. It defines 16 critical infrastructure sectors, including:
- Chemical
- Commercial facilities
- Communications
- Critical manufacturing
- Dams
- Defense industrial base
- Emergency services
- Energy (including utilities)
- Financial services
- Food and agriculture
- Government facilities
- Healthcare companies and public health
- Information technology
- Nuclear reactors, materials, and waste
- Transportation systems
- Water and wastewater systems
The U.S. government subsequently adopted the NIST Cybersecurity Framework as a mandatory standard to regulate security for all federal information systems in 2017.
While not mandatory, the best practices, standards, and recommendations set forth in the NIST Cybersecurity Framework are also widely used by nonfederal agencies and providers to identify, detect, and respond to cyberattacks.
In addition, guidelines in the framework are also used to prevent and recover from an attack. Using the NIST Cybersecurity Framework helps nonfederal organizations ensure the optimal security of systems and assures the public of their commitment to security.
The NIST Cybersecurity Framework is comprised of three sections—framework core components, implementation tiers, and profiles. Each of these is sub-divided into five areas of cybersecurity:
- Identify
- Protect
- Detect
- Respond
- Recover
The framework details specific activities in these five areas to mitigate cybersecurity risk. Categories and subcategories include descriptions of best practices for security practices and incident response plans. The NIST Cybersecurity Framework also provides direction for successfully recovering from a ransomware attack.
Getting started with the NIST Cybersecurity Framework
The NIST Cybersecurity Framework is one of the most widely employed cybersecurity frameworks in the U.S. However, it takes effort to implement. Getting started with framework begins with an in-depth review of its five foundational elements.
- Identify
Identify and assess cybersecurity risks to systems, assets, data, and resources. Included in this function are:- Asset management (ID.AM)
- Business environment (ID.BE)
- Governance (ID.GV)
- Risk assessment (ID.RA)
- Risk management strategy (ID.RM)
- Supply chain risk management (ID.SC)
- Protect
Evaluate existing cybersecurity procedures and processes to ensure adequate protection for the organization’s assets. Included in this function are:- Awareness and training (PR.AT)
- Data security (PR.DS)
- Identity management, authentication, and access control (PR.AC)
- Information protection processes and procedures: (PR.IP)
- Maintenance (PR.MA)
- Protective technology (PR.PT)
- Detect
The Detect element defines, develops, and implements the appropriate cybersecurity activities to identify threats and vulnerabilities quickly. Included in this function are:- Anomalies and events (DE.AE)
- Detection process (DE.DP)
- Security continuous monitoring (DE.CM)
- Respond
This element guides an organization’s assessment of its plan to respond to a cyberattack or identify a threat. Included in this function are:- Analysis (RS.AN)
- Communications (RS.CO)
- Improvements (RS.IM)
- Mitigation (RS.MI)
- Response planning (RS.RP)
- Recover
The Recover element helps organizations evaluate their cybersecurity policies to ensure they have plans to recover and repair the damage done by a cyberattack. Included in this function are:- Communications (RC.CO)
- Improvements (RC.IM)
- Recovery planning (RC.RP)
NIST Cybersecurity Framework examples
In addition to the NIST Cybersecurity Framework, NIST has produced more than 200 special publications focusing on specific cybersecurity risk management areas, such as risk assessments, identity access control, managing protective technology, and responding to a cybersecurity event or incident. Examples of the most frequently used NIST Cybersecurity Framework publications include the following.
NIST Special Publication (SP) 800-30
NIST SP 800-30, a Guide for Conducting Risk Assessments, provides guidance for cyber risk assessments and management. It includes controls and control baselines based on industry recommendations and standards. NIST SP 800-30 also helps organizations present cyber risk in a way that leadership teams can understand.
NIST Special Publication (SP) 800-37
NIST SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, describes the Risk Management Framework (RMF). It also provides guidelines for applying the RMF to information systems and organizations. NIST SP 800-37 includes a detailed, six-step process for managing security and privacy risk.
NIST Special Publication (SP) 800-53
NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, provides the controls required to implement the NIST Cybersecurity Framework. NIST SP 800-53 has over 1,000 controls across twenty control families.
By implementing the security controls set forth in NIST 800-53, organizations meet Federal Information Security Modernization Act (FISMA) security requirements. In addition, implementing NIST 800-53 controls meets Federal Information Processing Standard Publication 200 (FIPS 200) requirements, which are mandatory for all federal agencies and entities in their supply chain.
NIST Special Publication (SP) 800-122
NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), provides recommendations for handling PII (Personally Identifiable Information). It offers practical, context-based guidance for identifying PII.
NIST SP 800-122 also provides guidance on determining what level of protection is appropriate for each instance and recommends safeguards. In addition, NIST SP 800-122 provides direction for developing response plans for breaches involving PII.
NIST Special Publication (SP) 800-125
NIST SP 800-125, Guide to Security for Full Virtualization Technologies, provides recommendations for addressing the security challenges related to full server and desktop virtualization technologies. NIST 800-125 defines virtualization for government use and outlines requirements for securing hardening and provisioning virtual systems.
NIST Special Publication (SP) 800-171
Under NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, compliance is mandatory for every organization contracting with the U.S. Department of Defense (DoD). It covers all nonfederal information systems and organizations that are DoD contractors and process, store, or transmit Controlled Unclassified Information (CUI). Under NIST SP 800-171, these entities must meet the minimum security standards established by the Defense Federal Acquisition Regulation Supplement (DFARS) to retain their DoD contracts.
NISTIR 8170
Another NIST publication, NISTIR 8170, Approaches for Federal Agencies to Use the Cyber Security Framework, details eight approaches for using the NIST Cybersecurity Framework.
- Integrate enterprise and cybersecurity risk management by communicating with universally understood risk terms.
- Manage cybersecurity requirements using a construct that enables integration and prioritization of requirements.
- Integrate and align cybersecurity and acquisition processes by relaying requirements and priorities in common and concise language.
- Evaluate organizational cybersecurity using a standardized and straightforward measurement scale and self-assessment criteria.
- Manage the cybersecurity program by determining which outcomes necessitate common controls and apportioning work and responsibility for those outcomes.
- Maintain a comprehensive understanding of cybersecurity risk using a standard organizing structure.
- Report cybersecurity risks using a universal and understandable structure.
- Inform the tailoring process using a comprehensive reconciliation of cybersecurity requirements.
NIST Cybersecurity Framework FAQ
How does the NIST Cybersecurity Framework enhance security?
The NIST Cybersecurity Framework helps organizations protect critical systems and data by providing guidance to increase security awareness and preparedness. This flexible model supports security improvements by helping organizations better:
- Communicate new requirements throughout the organization
- Create a new cybersecurity program and requirements
- Determine current levels of implemented cybersecurity measures by creating a profile
- Identify new potential cybersecurity standards and policies to enhance cybersecurity
Is there a NIST Cybersecurity Framework certification?
There is no certification for the overall NIST Cybersecurity Framework, but there is a NIST cybersecurity implementation certification. This certification attests to an organization’s ability to use NIST best practices and standards to implement the structure, governance, and policy required for robust cybersecurity.
What are the three parts of the NIST Cybersecurity Framework?
There are three parts to the NIST Cybersecurity Framework: Core, Implementation, and Profile. The objective of these is to provide a strategic view of the cybersecurity risks in an organization.
The Core is a set of activities needed to achieve different levels of security. These are divided into four categories.
- Functions
The five functions cover most cybersecurity functions. They are Identify, Detect, Protect, Respond, and Recover. - Categories
Under each function, categories specify the required tasks (e.g., implement software updates, install antivirus and antimalware programs, and have access control policies to carry out the “protect” function). - Subcategories
These specify the tasks associated with the categories (e.g., turning on auto-updates on systems to support the “implement software updates” category). - Informative sources
This supporting documentation explains how to perform the tasks set forth in the various functions, categories, and subcategories.
The NIST Cybersecurity Framework Implementation section consists of four tiers that describe the degree to which an organization has implemented NIST controls and how closely its cybersecurity risk management practices follow the guidelines. The higher the tier, the more compliant the organization.
- Tier One—Partial
At Tier One, organizations do not have cybersecurity coordination or processes. Tier One organizations do not prioritize cybersecurity. This is usually because they lack time, staff, or budget. - Tier Two—Risk-informed
Organizations at Tier Two of the NIST Cybersecurity Framework are aware of some risks and plan to respond to them to meet compliance requirements. However, despite these efforts, Tier Two organizations are not aware of or addressing all security concerns quickly enough. - Tier Three—Repeatable
Tier Three organizations have clearly defined and regularly repeatable cybersecurity processes. These organizations have executive support for implementing risk management and cybersecurity best practices. Organizations that have reached Tier Three are well prepared to address cybersecurity risks and threats as well as identify and remediate vulnerabilities in their environments. - Tier Four—Adaptive
At the top tier of the NIST Cybersecurity Framework, Tier Four organizations proactively implement and upgrade cybersecurity measures. These organizations use advanced adaptive cybersecurity practices to continuously assess risky behaviors or events to help protect from or adapt to threats before they happen.
NIST Cybersecurity Framework Profiles describe an organization’s current cybersecurity measures and help define requirements for strategic security roadmaps. These profiles aim to help organizations identify vulnerabilities and move to the next implementation tier. Profiles also align Functions, Categories, and Subcategories with the organization’s requirements, risk tolerance, and resources.
What are NIST Special Publications?
NIST Special Publications provide detailed specifications in subject areas, often to clarify a topic. NIST has hundreds of special publications that include guidelines, recommendations, and reference materials. They fall into three categories:
- SP 500 — Information technology (relevant documents)
- SP 800 — Computer security
- SP 1800 — Cybersecurity practice guides
Is compliance with the NIST Cybersecurity Framework mandatory?
For federal agencies and any entity in the supply chain of a federal agency, compliance is required. For all other entities, it is recommended, but is optional.
What is the connection between NIST SP 800-53 and FISMA?
Compliance with NIST SP 800-53, Security and Privacy Controls for Federal Information Systems, helps organizations meet the Federal Information Security Modernization Act (FISMA) requirements with a nine-step checklist.
- Categorize the data and information systems that need to be protected.
- Develop an applicable security control baseline for the minimum controls required to protect that information.
- Assess the security controls to determine the extent to refine your baseline controls and ensure that they are implemented correctly, operating as intended, and meeting the organization’s security requirements.
- Document the design, development, and implementation details for the baseline controls in a security plan.
- Implement security controls.
- Monitor the performance of the implemented controls.
- Determine risk based on an assessment of the security controls.
- Authorize the information system for processing based on a determination that any identified risks are acceptable.
- Conduct continuous monitoring of the security controls in the information system and environment to manage effectiveness, changes to the system or environment, and compliance.
What is the difference between ISO 27001 and the NIST Cybersecurity Framework?
Three differences between NIST and ISO 27001 are:
- Certification
- The NIST Cybersecurity Framework is a self-certified framework that does not require outside certification.
- ISO 27001 offers globally-recognized certification based on a third-party audit.
- Cost
- The NIST Cybersecurity Framework is free.
- Organizations are charged a fee to access ISO 27001 documentation.
- Use cases
- The NIST Cybersecurity Framework is best for organizations creating a cybersecurity strategy, addressing specific vulnerabilities, or responding to data breaches.
- ISO 27001 is best for organizations with a mature cybersecurity program that pursue the ISO certification to bolster their security credibility.
The NIST Cybersecurity Framework: A security multiplier
In addition to providing unparalleled security guidance, the NIST Cybersecurity Framework helps organizations comply with many other security and privacy frameworks, such as the International Organization for Standardization’s ISO 27001 and the Health Insurance Portability and Accountability Act (HIPAA).
The NIST Cybersecurity Framework is also used as the basis for other regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act (SOX), the New York State Department of Financial Services Cybersecurity Regulation (NYDFS 23 NYCRR Part 500) and the National Association of Insurance Commissioners (NAIC) Model Law Act.
Many organizations benefit from the NIST Cybersecurity Framework. Not only does it provide a rich set of guidelines that will uplevel security and increase cyber resilience, NIST dutifully keeps it current. Since its introduction in 2014, the NIST Cybersecurity Framework has been continually updated to reflect changes in technology and the threat landscape.