What is the NIST Cybersecurity Framework?
In February 2014 the U.S. National Institute of Standards and Technology (NIST) published the Framework for Improving Critical Infrastructure Cybersecurity, known as the NIST Cybersecurity Framework. The Framework is constructed in such a way as to complement and aggregate/organize an organization’s existing security and risk management practices and programs. The Cybersecurity Framework aligns with NIST’s security and privacy standards and guidelines. Organizations are able to link existing approaches to the Framework’s core Functions – Identify, Protect, Detect, Respond, and Recover. To download the NIST Cybersecurity Framework, visit: https://www.nist.gov/cyberframework.
Who Uses the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework is publicly available for download and free to use by government and industry organizations. When first published in February 2014, the Framework was aimed at operators of national critical infrastructure, and has since been referenced by a wide range of businesses and organizations across industries.
Updates to the NIST Cybersecurity Framework
[last updated by CISQ: December 6, 2017]
- On January 10, 2017, NIST issued Draft Version 1.1 of the Cybersecurity Framework. See Framework for Improving Critical Infrastructure Cybersecurity, Draft Version 1.1: https://www.nist.gov/cyberframework/draft-version-11
- Draft Version 1.1 provides new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity.
- Read the January 10, 2017 press release, NIST Releases Update to Cybersecurity Framework: https://www.nist.gov/news-events/news/2017/01/nist-releases-update-cybersecurity-framework
- On May 11, 2017, the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure was announced, requiring U.S. Federal Agencies to use the NIST Cybersecurity Framework to demonstrate security and risk management practices. Read: https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal
- On May 12, 2017, NIST announced Draft NISTIR 8170: The Cybersecurity Framework: Implementation Guidance for Federal Agencies. Following the Presidential Executive Order on Cyber Security, the guidance document serves as a companion guide explaining eight (8) use cases for government application of the Cybersecurity Framework. See: nist.gov/publications/drafts/nistir-8170/nistir8170-draft.pdf
- On December 5, 2017, NIST issued Draft 2 of Version 1.1 of the Cybersecurity Framework and an updated companion Roadmap. See Framework for Improving Critical Infrastructure Cybersecurity, Draft 2 of Version 1.1: https://www.nist.gov/cyberframework/draft-version-11
- Draft 2 of Version 1.1 focuses on clarifying, refining, and enhancing the Framework. The Roadmap details public and private sector efforts related to and supportive of the Framework.
- The final Cybersecurity Framework Version 1.1 is anticipated for release in the spring of 2018.
Position Statement from CISQ
The Consortium for IT Software Quality is in support of NIST’s efforts to develop the Cybersecurity Framework. CISQ has submitted comments during open review periods. The Cybersecurity Framework explains “what to do” to develop, acquire, modernize and secure IT-intensive systems, and leaves “how to do it” open to an organization to customize with practices.
CISQ’s contributions to the NIST Cybersecurity Framework are automatable source code standards for measuring software size and software structural quality. [See Automated Quality Characteristic Measures for measuring security and reliability, based on the aggregation of critical violations of good coding and architectural practice for each measure]. Automated code quality metrics make it feasible to measure software reliability and security at regular intervals – at each release cycle, in Agile/DevOps accelerated environments, or when evaluating technical deliverables from suppliers or outsourced IT service providers.
Updates in Version 1.1 of the NIST Cybersecurity Framework promote these points:
- Formal agreements of baseline requirements for suppliers and partners
- The monitoring of cyber risk, similar to financial risk or operational risk
- Metrics measurement
CISQ provides the metrics for software that are necessary to meet the requirements of the NIST Cybersecurity Framework. To leverage CISQ resources for these efforts, view the Use Cases section of our website.