The NIST Cybersecurity Framework

by John Bandler

The NIST cybersecurity framework is valuable cybersecurity guidance, free to access and use, created by lots of smart people, paid for with U.S. tax dollars. It is voluntary guidance organizations may choose to follow, adapt, or disregard.

What is a cybersecurity framework?

A cybersecurity framework is simply guidance, or best practices to manage cybersecurity and information security.

There are many valuable frameworks for cybersecurity and information security to help organizations with the complex task of managing and securing their information assets. These frameworks are voluntary guidance, which organizations may choose to follow, adapt, or disregard. Compare this guidance with laws and regulations, which may impose mandatory rules upon the organization ("external rules").

Simply put, a cybersecurity framework is a suggested best practice. It is not mandatory, it is voluntary guidance. Cybersecurity is complicated, we cannot expect every organization to reinvent the wheel while securing themselves. (PS, there might be circumstances where a "voluntary" framework becomes mandatory thanks to a contract or other requirement).

I write more about cybersecurity frameworks and other guidance.

NIST is a respected government agency

NIST is the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce. They are funded by our federal tax dollars and do a lot of great work, thanks to many smart and hard working people there.

The NIST frameworks are created and maintained by some really smart people in our government, paid for with tax dollars, and made publicly available at no cost and with no license agreement.

In contrast, many other frameworks come from for-profit or not-for-profit organizations (and some that blend both types of organizations somehow). Some frameworks cost money to access, and have legal terms about their usage.

But NIST makes their cybersecurity framework (and all of their other publications) freely and publicly available. Amazing. People should take advantage of it.

Who is the NIST cybersecurity framework for?

The NIST cybersecurity framework can be applied to any organization, of any type.

That said, it is geared for readers with a high degree of technology and information security knowledge, and for organizations with in-house personnel with that level of understanding. And much of it pertains to a degree of complexity, detail, and tools that many smaller organizations do not possess nor have the resources to address.

The NIST cybersecurity framework (like most frameworks except for mine) might be too technical for most individuals to understand, and for most smaller and mid sized organizations to implement.

The NIST cybersecurity framework itself is 55 pages, almost 17,000 words. On word count alone, that would be at least 1.5 hours to read through. But it is not an easy read, it has some terms that some users might need to research. They also provides additional informational to help implement the framework, and that would take time to read and understand.

History of the NIST CSF

NIST has been creating information security related frameworks for decades (and lots of other voluntary standards for other areas).

Then in 2013 they were tasked by President Obama to create a "Cybersecurity Framework" for our nation's "critical infrastructure". Something more business friendly than some of their other extremely complicated frameworks. The CSF was born. Here's the chronology:

  • Executive Order 13636 by President Obama on 2/12/2013 for “Improving Critical Infrastructure Cybersecurity”
  • NIST CSF Version 1.0 was published in February 2014, titled "Framework for Improving Critical Infrastructure Cybersecurity", commonly known as the NIST Cybersecurity Framework (CSF).
  • NIST CSF Version 1.1 was published in April 2018 (current version)
  • NIST CSF Version 2 is in the works, a draft version was released in August 2023, comments closed in November 2023.

Summary of the NIST CSF v 1.1

The NIST Cybersecurity Framework (NIST CSF) is organized into five main categories ("functions") of:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover.

It recognizes the work of cybersecurity through these five categories is a cyclical process.

These five categories are further subdivided into areas of focus.

  • Identify
    • Asset Management (ID.AM)
    • Business Environment (ID.BE)
    • Governance (ID.GV)
    • Risk Assessment (ID.RA)
    • Risk Management Strategy (ID.RM)
    • Supply Chain Risk Management (ID.SC)
  • Protect
    • Identity Management, Authentication and Access Control (PR.AC)
    • Awareness and Training (PR.AT)
    • Data Security (PR.DS)
    • Information Protection Processes and Procedures (PR.IP)
    • Maintenance (PR.MA)
    • Protective Technology (PR.PT)
  • Detect
    • Anomalies and Events (DE.AE)
    • Security Continuous Monitoring (DE.CM)
    • Detection Processes (DE.DP)
  • Respond
    • Response Planning (RS.RP)
    • Communications (RS.CO)
    • Analysis (RS.AN)
    • Mitigation (RS.MI)
    • Improvements (RS.IM)
  • Recover
    • Recovery Planning (RC.RP)
    • Improvements (RC.IM)
    • Communications (RC.CO)

This NIST CSF is at Version 1.1, released April 2018. Version 2.0 is in the works.

NIST CSF links include:

Other NIST CSF guidance for small businesses

NIST has other frameworks and guidance too

NIST has many publications, many of which could be called "frameworks" that related to "cybersecurity". So remember there is not just one NIST framework for information security.

All of the NIST frameworks are publicly available and easily downloadable for free, without any registration. So thank you to the U.S. Government (and tax dollars) for that.

NIST SP 800-53 

NIST SP 800-53A

  • NIST SP 800-53A Rev. 5, Assessing Security and Privacy Controls in Information Systems and Organizations, Jan 2022
  • NIST SP 800-53A Rev. 5 landing page, https://csrc.nist.gov/pubs/sp/800/53/a/r5/final
  • NIST SP 800-53A Rev. 5 full document, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar5.pdf (733 pages)

NIST SP 800-171

NIST Privacy Framework

NIST Risk Management Framework

Miscellaneous

Some NIST general website links are:

Bandler's Four Pillars of Cybersecurity

In contrast to many cybersecurity frameworks, my Four Pillars framework is short, intuitive, and understandable by anyone.

Perfect for individuals, small organizations, and many medium sized organizations.

Even for organizations that follow a more complex framework, the Four Pillars allows individuals within that organization to better comprehend whatever cybersecurity framework their organization has adopted.

The Four Pillars can always be backstopped by a more robust framework such as the NIST CSF. And if an organization using the Four Pillars framework increases in size and maturity to the point where it requires a more complex framework, the fuller transition to a more complex and detailed guidance is simple. For example, to the NIST Cybersecurity Framework, or the CIS Twenty Critical Security Controls.

My Four Pillars of Cybersecurity model is a user-friendly cybersecurity framework which small and mid-sized organizations (and individuals) can use as guidance for their cybersecurity plan and practice. It consists of continual improvement of:Bandlers Four Pillars of Cybersecurity

 

  1. Improve knowledge and awareness for better decision making at all levels (e.g., re: cybercrime threats, information security, technology, and legal requirements)
  2. Secure computing devices
  3. Secure data
  4. Secure networks and use of the Internet.
  5. [Repeat]

Read more about the Four Pillars of Cybersecurity here.

Conclusion

A cybersecurity framework is just external guidance. The NIST CSF is very respected and used by many. The NIST CSF and all other NIST publications are freely available thanks to the U.S. Government and our tax dollars, so take full advantage of that.

Also consider my Four Pillars of Cybersecurity. It is much simpler and freely available on this website (copyright protections may apply).

This is not legal advice nor consulting advice, and is not tailored to your circumstances.

Additional reading

This article is hosted at https://johnbandler.com/nist-cybersecurity-framework. Copyright John Bandler, all rights reserved.

Posted 12/4/2023. Updated 12/8/2023.