In February 2013, the President of the United States issued Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity,” to address the growing threat to U.S. critical infrastructure. The purpose of the EO was to “enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”

The order provided a mandate to establish a voluntary common framework for cybersecurity defense. In response to this mandate, the National Institute of Standards and Technology (NIST) was tasked with development of the Framework for Improving Critical Infrastructure Cybersecurity, more commonly known as the Cybersecurity Framework. Although it was designed specifically for companies that are part of the U.S. critical infrastructure, many other organizations in the private and public sectors, including federal agencies, are using the framework as a helpful tool in managing cybersecurity risks.

What Is the NIST CSF?

The NIST CSF is based on NIST 800-53, which mandates security requirements for federal government IT systems. The NIST CSF is far more concise and uses less technical language. It provides guidance to organizations, based on existing standards, guidelines, and practices, to better manage and reduce their cyber security risk. It also encourages communications about risk and cybersecurity management among internal and external organizational stakeholders.

The most recent version of the NIST CSF, v. 1.1, was released in April 2018. It includes updates on authentication and identity, IoT risks, self-assessing cyber security risk, managing cyber security within the supply chain, and vulnerability disclosure.

The NIST CSF consists of three main components: the Core, Implementation Tiers, and Profiles. These are further broken down into five “functions” – Identify, Protect, Detect, Respond, and Recover – which are subdivided into 22 “categories” outlining cyber security outcomes and security controls.

Who Should Use the NIST CSF?

The NIST CSF was originally designed for companies that are part of the nation’s critical infrastructure, such as energy and water utilities, transportation, financial services, communications, healthcare and public health, food and agriculture, chemical and other facilities, dams, key manufacturers, and emergency services. However, a wide variety of private and public-sector enterprises utilize it. It is inherently versatile and scalable, and it can be customized for use by organizations of all sizes, in all sectors, whether they are just developing a cyber security program or have had one in place for some time.