Citations[]
- National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity (Ver. 1.0), 79 Fed. Reg. 9167 (Feb. 12, 2014) (full-text).
- National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity (Ver. 1.1) (Apr. 16, 2018) (full-text).
Overview[]
This Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.
The Framework is risk-based, and is composed of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework provides a common taxonomy and mechanism, based on existing standards, guidelines, and practices, for organizations to:
- Describe their current cybersecurity posture;
- Describe their target state for cybersecurity;
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
- Assess progress toward the target state; and
- Communicate among internal and external stakeholders about cybersecurity risk.
It provides a thorough, yet flexible risk-based approach for understanding where an organization stands in terms of its cybersecurity activities and where it would like to be to ensure that it is able to achieve its cybersecurity risk management priorities as defined by organizational goals, legal and regulatory requirements, and industry best practices.
This perspective helps reframe cybersecurity issues in risk management terms that may be more understandable for decision-makers, i.e., whether a firm should mitigate, transfer, accept or avoid a risk.
Companion document[]
NIST also issued a companion document "NIST Roadmap for Improving Critical Infrastructure Cybersecurity," which discusses NIST's next steps with the Framework and identifies key areas of development, alignment, and collaboration.
Version 1.1[]
Version 1.1, includes a number of updates from the original Version 1.0 (from February 2014), including: a new section on self-assessment; expanded explanation of using the Framework for cyber supply chain risk management purposes; refinements to better account for authentication, authorization, and identity proofing; explanation of the relationship between implementation tiers and profiles; and consideration of coordinated vulnerability disclosure.
Complete information about the Framework is available here.