90:. A public draft of Version 1.1 was released for comment in 2017, and the final version was published on April 16, 2018. Version 1.1 retained compatibility with the original framework while introducing additional guidance on areas such as supply chain risk management. Version 2.0, released in 2024, further expanded the framework's scope and introduced new guidelines on self-assessment and cybersecurity governance.
111:
394:
67:(NIST) to help organizations manage and mitigate cybersecurity risks. It draws from existing standards, guidelines, and best practices to provide a flexible and scalable approach to cybersecurity. The framework provides a high-level taxonomy of cybersecurity outcomes and offers a methodology for assessing and managing those outcomes. Additionally, it addresses the protection of
146:). Special Publications (SP) aside, most of the informative references requires a paid membership or purchase to access their respective guides. The cost and complexity of the framework has resulted in bills from both houses of Congress that direct NIST to create Cybersecurity Framework guides that are more accessible to small and medium businesses.
35:(NIST), the framework was initially published in 2014 for critical infrastructure sectors but has since been widely adopted across various industries, including government and private enterprises globally. The framework integrates existing standards, guidelines, and best practices to provide a structured approach to cybersecurity risk management.
203:
Information
Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and
179:
Supply Chain Risk
Management (ID.SC): The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has in place the processes to identify, assess and manage supply chain
78:
The CSF has been translated into multiple languages and is widely used by governments, businesses, and organizations across various sectors. According to a 2016 survey, 70% of organizations view the NIST Cybersecurity
Framework as a best practice for computer security, though some have noted that
292:
The NIST Cybersecurity
Framework is meant to be a living document, meaning it will be updated and improved over time to keep up with changes in technology and cybersecurity threats, as well as to integrate best-practices and lessons learned. Since releasing version 1.1 in 2018, stakeholders have
97:
Organizations typically start by developing a "Current
Profile" to describe their existing cybersecurity practices and outcomes. From there, they can create a "Target Profile" to outline the desired future state and define the steps needed to achieve it. Alternatively, organizations can adopt a
38:
The CSF is composed of three primary components: the Core, Implementation Tiers, and
Profiles. The Core outlines five key cybersecurity functions—Identify, Protect, Detect, Respond, and Recover—each of which is further divided into specific categories and subcategories. These functions offer a
93:
The framework consists of three main components: the "Core," "Profiles," and "Tiers." The Core provides a comprehensive set of activities, outcomes, and references related to various aspects of cybersecurity. The
Implementation Tiers help organizations assess their cybersecurity practices and
42:
Since its inception, the CSF has undergone several updates to reflect the evolving nature of cybersecurity. Version 1.1, released in 2018, introduced enhancements related to supply chain risk management and self-assessment processes. The most recent update, Version 2.0, was published in 2024,
101:
Research indicates that the NIST Cybersecurity
Framework has the potential to influence cybersecurity standards both within the United States and internationally, particularly in sectors where formal cybersecurity standards are still emerging. This influence could foster better international
668:
Shackelford, Scott J; Proia, Andrew A; Martell, Brenton; Craig, Amanda N (2015). "Toward a Global
Cybersecurity Standard of Care?: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices".
39:
high-level, outcome-driven approach to managing cybersecurity risks. The
Implementation Tiers help organizations assess the sophistication of their cybersecurity practices, while the Profiles allow for customization based on an organization's unique risk profile and needs.
196:
Awareness and Training (PR.AT): The organization's personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and
317:
A new Function, Govern, has been added to provide organizational context and the roles and responsibilities associated with developing a cybersecurity governance model. There is also an additional category in this Function focused on cybersecurity supply chain risk
161:
Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization's risk
293:
provided feedback that the CSF needed to be updated. In February 2022, NIST released a request for information on ways to improve the CSF, and released a subsequent concept paper in January of 2023 with proposed changes. Most recently, NIST released its
313:
Implementation examples have been added to provide practical and action-oriented processes to help users achieve the CSF subcategories. Additionally, the framework Profiles have been revised and expanded to demonstrate the various purposes of the
46:
The NIST Cybersecurity Framework is used internationally and has been translated into multiple languages. It serves as a benchmark for cybersecurity standards, helping organizations align their practices with recognized global standards, such as
309:
The title of the framework has changed from "Framework for Improving Critical Infrastructure Cybersecurity" to "Cybersecurity Framework". The scope of the framework has been updated to reflect the large population of organizations that use the
283:
In 2021 NIST released Security Measures for "EO-Critical Software" Use Under Executive Order (EO) 14028 to outline security measures intended to better protect the use of deployed EO-critical software in agencies’ operational environments.
169:
Governance (ID.GV):- The policies, procedures, and processes to manage and monitor the organization's regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity
165:
Business Environment (ID.BE): The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management
139:
118:
The NIST Cybersecurity Framework organizes its "core" material into five "functions" which are subdivided into a total of 23 "categories". For each category, it defines a number of subcategories of cybersecurity outcomes and
82:
The framework is designed to be flexible and adaptable, providing high-level guidance that allows individual organizations to determine the specifics of implementation based on their unique needs and risk profiles.
273:
Communications (RC.CO): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and
321:
The latest update also provides greater information on cybersecurity assessments by placing greater importance on the continuous improvement of security through a new Improvement Category in the Identify
173:
Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
398:
226:
Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
210:
Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
200:
Data Security (PR.DS): Information and records (data) are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information.
263:"Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident."
31:) is a set of voluntary guidelines designed to help organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks. Developed by the U.S.
245:
Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
176:
Risk Management Strategy (ID.RM): The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
267:
Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
55:. While widely praised, the framework has been criticized for the cost and complexity involved in its implementation, particularly for small and medium-sized enterprises.
193:
Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
557:
917:
254:
Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.
207:
Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.
754:"Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1" (Document). National Institute of Standards and Technology. April 16, 2018.
775:
229:
Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.
242:
Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
412:
356:
64:
32:
627:
469:
94:
sophistication, while the Profiles allow organizations to tailor the framework to their specific requirements and risk assessments.
43:
expanding the framework’s applicability and adding new guidance on cybersecurity governance and continuous improvement practices.
223:
Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood.
149:
Here are the functions and categories, along with their unique identifiers and definitions, as stated in the framework document.
251:
Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
102:
cybersecurity practices, benefiting businesses that operate across borders and contributing to global cybersecurity efforts.
902:
496:
270:
Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities.
887:
652:
347:
882:
157:"Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities."
126:
For each subcategory, it also provides "Informative Resources" referencing specific sections of a variety of other
370:
403:
531:
238:"Develop and implement the appropriate activities to take action regarding a detected cybersecurity incident."
793:
189:"Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services."
143:
219:"Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event."
376:
248:
Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery activities.
588:"Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model"
430:"Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model"
337:
907:
866:
87:
729:
704:
871:
826:
682:
912:
877:
686:
127:
8:
517:
364:: Control Objectives for Information and Related Technologies - a related framework from
295:
Discussion Draft: The NIST Cybersecurity Framework 2.0 Core with Implementation Examples
352:
305:
The following is a list of the major changes to the framework from version 1.1 to 2.0:
131:
678:
648:
609:
451:
332:
86:
Version 1.0 of the framework was published in 2014, primarily targeting operators of
874:: Cybersecurity Framework Profile for Ransomware Risk Management (Preliminary Draft)
373:: "Security and Privacy Controls for Federal Information Systems and Organizations."
63:
The NIST Cybersecurity Framework (CSF) is a set of guidelines developed by the U.S.
801:
755:
599:
562:
441:
120:
690:
342:
72:
760:
642:
896:
805:
613:
604:
587:
455:
446:
429:
48:
859:
558:"NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds"
105:
470:"Achieving Successful Outcomes With the NIST Cybersecurity Framework"
297:
and has requested public comments be submitted by November 4, 2023.
98:
baseline profile based on their sector or specific industry needs.
586:
Gordon, Lawrence A; Loeb, Martin P; Zhou, Lei (January 1, 2020).
428:
Gordon, Lawrence A; Loeb, Martin P; Zhou, Lei (January 1, 2020).
68:
628:"NIST Releases Version 2.0 of Landmark Cybersecurity Framework"
110:
365:
361:
135:
52:
667:
497:"HIMSS: NIST Cybersecurity Framework Positive, Can Improve"
532:"Workshop plots evolution of NIST Cybersecurity Framework"
867:
Harnessing the Power of the NIST Cybersecurity Framework
827:"Public Draft: The NIST Cybersecurity Framework 2.0"
106:
Functions and categories of cybersecurity activities
18:
U.S. government-sponsored framework of cybersecurity
140:
Council on CyberSecurity Critical Security Controls
79:implementation can require significant investment.
776:"Security Measures for "EO-Critical Software" Use"
894:
644:Black Hat Python: Python Programming for Hackers
494:
730:"NIST Small Business Cybersecurity Act of 2017"
918:National Institute of Standards and Technology
585:
427:
413:National Institute of Standards and Technology
357:International Organization for Standardization
65:National Institute of Standards and Technology
33:National Institute of Standards and Technology
640:
383:framework (broader scope than cybersecurity)
355:: an information security standard from the
138:, NIST SP 800-53, ANSI/ISA-62443, and the
759:
603:
445:
109:
705:"MAIN STREET Cybersecurity Act of 2017"
895:
794:"The NIST Cybersecurity Framework 2.0"
495:HealthITSecurity (February 10, 2016).
287:
13:
348:Critical infrastructure protection
14:
929:
851:
123:, with 108 subcategories in all.
397: This article incorporates
392:
819:
786:
768:
747:
722:
697:
671:Texas International Law Journal
661:
641:Justin Seitz (April 14, 2021).
371:NIST Special Publication 800-53
300:
634:
620:
579:
550:
524:
518:"NIST Cybersecurity Framework"
510:
488:
462:
421:
1:
888:Informative Reference Catalog
387:
142:(CCS CSC, now managed by the
75:in a cybersecurity context.
883:Derived Relationship Mapping
405:NIST Cybersecurity Framework
144:Center for Internet Security
25:NIST Cybersecurity Framework
7:
903:Computer security standards
878:Informative References Home
326:
152:
58:
10:
934:
761:10.6028/nist.cswp.04162018
278:
258:
233:
214:
184:
377:Risk Management Framework
806:10.6028/NIST.CSWP.29.ipd
592:Journal of Cybersecurity
434:Journal of Cybersecurity
379:- US-federally mandated
338:Cyber security standards
88:critical infrastructure
605:10.1093/cybsec/tyaa005
447:10.1093/cybsec/tyaa005
399:public domain material
115:
130:standards, including
113:
128:information security
872:NISTIR 8374 (Draft)
647:. No Starch Press.
476:. February 13, 2019
353:ISO/IEC 27001:2013
288:Journey to CSF 2.0
116:
121:security controls
925:
863:
862:
860:Official website
845:
844:
842:
840:
831:
823:
817:
816:
814:
812:
790:
784:
783:
772:
766:
765:
763:
751:
745:
744:
742:
740:
726:
720:
719:
717:
715:
701:
695:
694:
677:(2/3): 305–355.
665:
659:
658:
638:
632:
631:
624:
618:
617:
607:
583:
577:
576:
574:
572:
567:. March 30, 2016
563:Information Week
554:
548:
547:
545:
543:
528:
522:
521:
514:
508:
507:
505:
503:
492:
486:
485:
483:
481:
466:
460:
459:
449:
425:
416:
410:
396:
395:
114:NIST Version 1.1
933:
932:
928:
927:
926:
924:
923:
922:
893:
892:
858:
857:
854:
849:
848:
838:
836:
829:
825:
824:
820:
810:
808:
792:
791:
787:
782:. May 12, 2021.
774:
773:
769:
753:
752:
748:
738:
736:
728:
727:
723:
713:
711:
703:
702:
698:
666:
662:
655:
639:
635:
626:
625:
621:
584:
580:
570:
568:
556:
555:
551:
541:
539:
538:. April 7, 2016
530:
529:
525:
516:
515:
511:
501:
499:
493:
489:
479:
477:
468:
467:
463:
426:
422:
408:
402:
393:
390:
329:
303:
290:
281:
261:
236:
217:
187:
155:
108:
73:civil liberties
61:
19:
12:
11:
5:
931:
921:
920:
915:
910:
908:Infrastructure
905:
891:
890:
885:
880:
875:
869:
864:
853:
852:External links
850:
847:
846:
818:
785:
767:
746:
721:
696:
660:
654:978-1718501126
653:
633:
619:
578:
549:
523:
509:
487:
461:
419:
418:
389:
386:
385:
384:
374:
368:
359:
350:
345:
340:
335:
328:
325:
324:
323:
319:
315:
311:
302:
299:
289:
286:
280:
277:
276:
275:
271:
268:
260:
257:
256:
255:
252:
249:
246:
243:
235:
232:
231:
230:
227:
224:
216:
213:
212:
211:
208:
205:
201:
198:
194:
186:
183:
182:
181:
177:
174:
171:
167:
163:
154:
151:
107:
104:
60:
57:
17:
9:
6:
4:
3:
2:
930:
919:
916:
914:
911:
909:
906:
904:
901:
900:
898:
889:
886:
884:
881:
879:
876:
873:
870:
868:
865:
861:
856:
855:
835:
828:
822:
807:
803:
799:
795:
789:
781:
777:
771:
762:
757:
750:
735:
731:
725:
710:
706:
700:
692:
688:
684:
680:
676:
672:
664:
656:
650:
646:
645:
637:
629:
623:
615:
611:
606:
601:
597:
593:
589:
582:
566:
564:
559:
553:
537:
533:
527:
519:
513:
498:
491:
475:
471:
465:
457:
453:
448:
443:
439:
435:
431:
424:
420:
417:
414:
407:
406:
400:
382:
378:
375:
372:
369:
367:
363:
360:
358:
354:
351:
349:
346:
344:
341:
339:
336:
334:
333:Cybersecurity
331:
330:
320:
316:
312:
308:
307:
306:
298:
296:
285:
272:
269:
266:
265:
264:
253:
250:
247:
244:
241:
240:
239:
228:
225:
222:
221:
220:
209:
206:
202:
199:
195:
192:
191:
190:
178:
175:
172:
168:
164:
160:
159:
158:
150:
147:
145:
141:
137:
133:
129:
124:
122:
112:
103:
99:
95:
91:
89:
84:
80:
76:
74:
70:
66:
56:
54:
50:
49:ISO/IEC 27001
44:
40:
36:
34:
30:
26:
21:
16:
913:Cyberwarfare
837:. Retrieved
833:
821:
809:. Retrieved
797:
788:
779:
770:
749:
737:. Retrieved
734:congress.gov
733:
724:
712:. Retrieved
709:congress.gov
708:
699:
674:
670:
663:
643:
636:
622:
595:
591:
581:
569:. Retrieved
565:Dark Reading
561:
552:
540:. Retrieved
535:
526:
512:
500:. Retrieved
490:
478:. Retrieved
473:
464:
437:
433:
423:
404:
391:
380:
304:
301:Main Changes
294:
291:
282:
262:
237:
218:
188:
156:
148:
125:
117:
100:
96:
92:
85:
81:
77:
62:
45:
41:
37:
28:
24:
22:
20:
15:
839:October 20,
811:October 20,
440:(tyaa005).
318:management.
197:agreements.
897:Categories
739:October 5,
714:October 5,
691:1704865080
388:References
310:framework.
166:decisions.
614:2057-2085
571:August 2,
542:August 2,
502:August 2,
456:2057-2085
322:Function.
314:profiles.
162:strategy.
132:ISO 27001
800:. 2023.
687:ProQuest
536:FedScoop
480:June 12,
327:See also
274:vendors.
153:Identify
59:Overview
683:2446631
474:GovLoop
343:Privacy
279:Updates
259:Recover
234:Respond
215:Detects
204:assets.
185:Protect
69:privacy
689:
681:
651:
612:
454:
180:risks.
830:(PDF)
598:(1).
409:(PDF)
401:from
366:ISACA
362:COBIT
170:risk.
136:COBIT
53:COBIT
841:2023
834:NIST
813:2023
798:NIST
780:NIST
741:2017
716:2017
679:SSRN
649:ISBN
610:ISSN
573:2016
544:2016
504:2016
482:2021
452:ISSN
381:risk
71:and
51:and
23:The
802:doi
756:doi
600:doi
442:doi
29:CSF
899::
832:.
796:.
778:.
732:.
707:.
685:.
675:50
673:.
608:.
594:.
590:.
560:.
534:.
472:.
450:.
436:.
432:.
411:.
134:,
843:.
815:.
804::
764:.
758::
743:.
718:.
693:.
657:.
630:.
616:.
602::
596:6
575:.
546:.
520:.
506:.
484:.
458:.
444::
438:6
415:.
27:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
