Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //


07:00 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli

5 Years of the NIST Cybersecurity Framework

With NIST celebrating the five-year anniversary of its widely adopted and recommended Cybersecurity Framework just last month, a look back over the years illustrates how far the Framework has come.

Last month, the NIST Cybersecurity Framework celebrated its five-year anniversary.

In February 2013, then-President Barack Obama ordered the National Institute of Science and Technology (NIST) to develop a voluntary framework for cybersecurity.

"The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk," dictates the pursuant executive order.

Twelve months later, NIST released the original version of the NIST Cybersecurity Framework, then titled "Framework for Improving Critical Infrastructure Security."

Beyond critical infrastructureIndeed, the executive order mandating the creation of the Framework specified that the Framework be developed "to reduce cyber risks to critical infrastructure" -- but the Framework has evolved substantially since then. It has been adopted far beyond the realm of critical infrastructure, across myriad industries -- particularly as cyber-insurance carriers have all but required clients to follow the Framework as a condition of coverage. The year after NIST released its Framework, Gartner reported that it was then already in use in more than 30% of US organizations.

"Since its initial release in February 2014, we've seen extensive use of the Framework by diverse companies, sectors, governments, and other organizations," Kevin Stine, chief of the Applied Cybersecurity Division in NIST's Information Technology Lab, told Security Now. "Because the Framework offers a flexible approach that is anchored in the principle of risk management, it can be extended and interpreted to meet the business objectives of an organization -- whatever its priorities."

What's more, NIST has seen its Framework extend its guidance beyond US borders. The agency reports that several other sovereignties -- including Bermuda, Israel, Italy and Japan -- have adopted their own adaptations of the Framework.

Back in the US, the Framework, although voluntary, has taken the effect of "pseudo-law" in some cases. Federal regulatory agencies -- notably including the FTC as well as numerous bodies regulating the financial sector -- have held those it investigates to the Framework's standards when determining data-protection adequacy. Other agencies have made Framework compliance mandatory for their government contractors.

"For financial services companies, the NIST Framework seems to restate many best practices that financial services companies adhere to in their general risk management programs," Sean Mahoney, Northern Bank's General Counsel, told Security Now. "For companies in other industries, the framework is designed to address a cybersecurity program at various states of maturity."

Making security frameworks accessibleTo this end, the heart of the Framework relies on identifying, defining and tying international standards to each of five cyclical functions:

  • Identify [threats],
  • Protect [against threats],
  • Detect [intrusions/incidents],
  • Respond [to incidents], and
  • Recover [from incidents].

In this respect, the Framework is both an aggregator of several widely accepted best practices and a translator to allow for better, Framework-tied communication between the IT elite and lay decision-makers in the organization. To better aid in this, NIST has worked on making the Framework more accessible to organizations of all types and sizes through additional documentation, as well as direct engagement with the private sector and NGOs.

Small businesses, in particular, have drawn special attention because of their special needs. In November 2016, NIST released a guide for small businesses on using principles from the Framework to improve their cybersecurity. More recently, this very month, NIST announced that its "Small Business Cybersecurity Corner" had gone live online as an additional resource to organizations wading their way through cyber-risk management.

"NIST is committed to an open and transparent private-public partnership," said Stine. "NIST has continuously worked with all stakeholders to understand current and future challenges in the cybersecurity space through requests for information, workshops and other engagement methods."

Framework updatesAbout four months ago, for instance, NIST held a workshop on managing cybersecurity risk as, in Stine's words, "an opportunity for NIST to hear from industry [and] academia, as well as national and international collaborators, on current challenges and opportunities in the space." According to Stine, the discussion from this workshop will inform updates to further NIST guidance related to the Framework. And, to be clear, NIST and its spokespeople (including Stine in his recent comments to Security Now) have long made clear that the Framework represents "a living document" that must adjust to the ever-changing world of cyber threats and risk mitigations.

Even so, the Framework -- particularly with its first actual update (dubbed "version 1.1") last year -- seems to have withstood the test of time as a superior option even to many security frameworks developed in house. (See Digital Transformation With IoT: Assessing Risk Through Standards & Visibility.)

"This update included increased treatment of supply-chain risk management, authentication, coordinated vulnerability disclosure, and other concepts in the Framework Core," elaborated Stine. "Additionally, the Framework Implementation Tiers were enhanced to provide more guidance to organizations in the execution of a cybersecurity risk management program."

Related posts:

—Joe Stanganelli is managing director at research and consulting firm Blackwood King LC. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-21
jsuites is an open source collection of common required javascript web components. In affected versions users are subject to cross site scripting (XSS) attacks via clipboard content. jsuites is vulnerable to DOM based XSS if the user can be tricked into copying _anything_ from a malicious and pastin...
PUBLISHED: 2021-09-21
in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity. In affected versions authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the sam...
PUBLISHED: 2021-09-21
Cross Site Scripting (XSS) vulnerability exists in ManageEngine OPManager <=12.5.174 when the API key contains an XML-based XSS payload.
PUBLISHED: 2021-09-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2020. Notes: none.
PUBLISHED: 2021-09-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2020. Notes: none.