- National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity (Ver. 1.0), 79 Fed. Reg. 9167 (Feb. 12, 2014) (full-text).
- National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity (Draft Ver. 1.1) (Jan. 10, 2017) (full-text).
This Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.
The Framework is risk-based, and is composed of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework provides a common taxonomy and mechanism, based on existing standards, guidelines, and practices, for organizations to:
- Describe their current cybersecurity posture;
- Describe their target state for cybersecurity;
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
- Assess progress toward the target state; and
- Communicate among internal and external stakeholders about cybersecurity risk.
It provides a thorough, yet flexible risk-based approach for understanding where an organization stands in terms of its cybersecurity activities and where it would like to be to ensure that it is able to achieve its cybersecurity risk management priorities as defined by organizational goals, legal and regulatory requirements, and industry best practices.
This perspective helps reframe cybersecurity issues in risk management terms that may be more understandable for decision-makers, i.e., whether a firm should mitigate, transfer, accept or avoid a risk.
Companion document Edit
NIST also issued a companion document "NIST Roadmap for Improving Critical Infrastructure Cybersecurity," which discusses NIST's next steps with the Framework and identifies key areas of development, alignment, and collaboration.
(Draft) Version 1.1 Edit
This draft provides new details on managing cyber supply chain risks, clarifies key terms, and introducing measurement methods for cybersecurity. The updated framework aims to further develop NIST's voluntary guidance to organizations on reducing cybersecurity risks.
The draft incorporates feedback since the release of framework version 1.0, and integrates comments from a December 2015 Request for Information as well as comments from attendees at the Cybersecurity Framework Workshop 2016 held at the NIST campus in Gaithersburg, Maryland.