NIST Cybersecurity Framework

What is the NIST Cybersecurity Framework?

 

In February 2014 the U.S. National Institute of Standards and Technology (NIST) published the Framework for Improving Critical Infrastructure Cybersecurity, known as the NIST Cybersecurity Framework. The Framework was constructed in a way as to complement and aggregate an organization’s existing security and risk management practices and programs. The Cybersecurity Framework aligns with NIST’s security and privacy standards and guidelines. Organizations are able to link existing approaches to the Framework’s core Functions – Identify, Protect, Detect, Respond, and Recover. To download the NIST Cybersecurity Framework, visit: https://www.nist.gov/cyberframework.

 

Who Uses the NIST Cybersecurity Framework?

 

The NIST Cybersecurity Framework is publicly available for download and free to use by government and industry organizations. When first published in February 2014, the Framework was aimed at operators of national critical infrastructure, and has since been referenced by a wide range of businesses and organizations across industries.

 

Updates to the NIST Cybersecurity Framework

 

[last updated by CISQ: June 22, 2017]

 

Position Statement from CISQ

 

The Consortium for IT Software Quality is in support of NIST’s efforts to develop the Cybersecurity Framework. CISQ has submitted comments during open review periods. The Cybersecurity Framework explains “what to do” to develop, acquire, modernize and secure IT-intensive systems, and leaves “how to do it” open to an organization to customize with practices.

 

CISQ’s contributions to the NIST Cybersecurity Framework are automatable source code standards for measuring software size and software structural quality. See Automated Quality Characteristic Measures for measuring security and reliability, based on the aggregation of critical violations of good coding and architectural practice for each measure. Automated code quality metrics make it feasible to measure software reliability and security at regular intervals, such as at each release cycle, either in Agile/DevOps accelerated environments, or when evaluating technical deliverables at the end of the cycle delivered by suppliers or outsourced IT service providers.

 

Updates in Version 1.1 of the NIST Cybersecurity Framework promote these points:

  • Formal agreements of baseline requirements for suppliers and partners
  • The monitoring of cyber risk, similar to financial risk or operational risk
  • Metrics measurement

 

CISQ provides the metrics for software that are necessary to meet the requirements of the NIST Cybersecurity Framework. To leverage CISQ resources for these efforts, view the Use Cases section of our website.