5 Years of the NIST Cybersecurity Framework

Last month, the NIST Cybersecurity Framework celebrated its five-year anniversary.

In February 2013, then-President Barack Obama ordered the National Institute of Science and Technology (NIST) to develop a voluntary framework for cybersecurity.

"The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk," dictates the pursuant executive order.

Twelve months later, NIST released the original version of the NIST Cybersecurity Framework, then titled "Framework for Improving Critical Infrastructure Security."

Beyond critical infrastructureIndeed, the executive order mandating the creation of the Framework specified that the Framework be developed "to reduce cyber risks to critical infrastructure" -- but the Framework has evolved substantially since then. It has been adopted far beyond the realm of critical infrastructure, across myriad industries -- particularly as cyber-insurance carriers have all but required clients to follow the Framework as a condition of coverage. The year after NIST released its Framework, Gartner reported that it was then already in use in more than 30% of US organizations.

"Since its initial release in February 2014, we've seen extensive use of the Framework by diverse companies, sectors, governments, and other organizations," Kevin Stine, chief of the Applied Cybersecurity Division in NIST's Information Technology Lab, told Security Now. "Because the Framework offers a flexible approach that is anchored in the principle of risk management, it can be extended and interpreted to meet the business objectives of an organization -- whatever its priorities."

What's more, NIST has seen its Framework extend its guidance beyond US borders. The agency reports that several other sovereignties -- including Bermuda, Israel, Italy and Japan -- have adopted their own adaptations of the Framework.

Back in the US, the Framework, although voluntary, has taken the effect of "pseudo-law" in some cases. Federal regulatory agencies -- notably including the FTC as well as numerous bodies regulating the financial sector -- have held those it investigates to the Framework's standards when determining data-protection adequacy. Other agencies have made Framework compliance mandatory for their government contractors.

"For financial services companies, the NIST Framework seems to restate many best practices that financial services companies adhere to in their general risk management programs," Sean Mahoney, Northern Bank's General Counsel, told Security Now. "For companies in other industries, the framework is designed to address a cybersecurity program at various states of maturity."

Making security frameworks accessibleTo this end, the heart of the Framework relies on identifying, defining and tying international standards to each of five cyclical functions:

In this respect, the Framework is both an aggregator of several widely accepted best practices and a translator to allow for better, Framework-tied communication between the IT elite and lay decision-makers in the organization. To better aid in this, NIST has worked on making the Framework more accessible to organizations of all types and sizes through additional documentation, as well as direct engagement with the private sector and NGOs.

Small businesses, in particular, have drawn special attention because of their special needs. In November 2016, NIST released a guide for small businesses on using principles from the Framework to improve their cybersecurity. More recently, this very month, NIST announced that its "Small Business Cybersecurity Corner" had gone live online as an additional resource to organizations wading their way through cyber-risk management.

"NIST is committed to an open and transparent private-public partnership," said Stine. "NIST has continuously worked with all stakeholders to understand current and future challenges in the cybersecurity space through requests for information, workshops and other engagement methods."

Framework updatesAbout four months ago, for instance, NIST held a workshop on managing cybersecurity risk as, in Stine's words, "an opportunity for NIST to hear from industry [and] academia, as well as national and international collaborators, on current challenges and opportunities in the space." According to Stine, the discussion from this workshop will inform updates to further NIST guidance related to the Framework. And, to be clear, NIST and its spokespeople (including Stine in his recent comments to Security Now) have long made clear that the Framework represents "a living document" that must adjust to the ever-changing world of cyber threats and risk mitigations.

Even so, the Framework -- particularly with its first actual update (dubbed "version 1.1") last year -- seems to have withstood the test of time as a superior option even to many security frameworks developed in house. (See Digital Transformation With IoT: Assessing Risk Through Standards & Visibility.)

"This update included increased treatment of supply-chain risk management, authentication, coordinated vulnerability disclosure, and other concepts in the Framework Core," elaborated Stine. "Additionally, the Framework Implementation Tiers were enhanced to provide more guidance to organizations in the execution of a cybersecurity risk management program."

Related posts:

—Joe Stanganelli is managing director at research and consulting firm Blackwood King LC. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.