Frequently Asked Questions
The Framework is based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
NIST is not a regulatory agency and the Framework was designed to be voluntarily implemented. However, while most organizations use it on a voluntary basis, some organizations are required to use it. Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, made the Framework mandatory for U.S. federal government agencies, and several federal, state, and foreign governments, as well as insurance organizations have made the Framework mandatory for specific sectors or purposes. Some organizations may also require use of the Framework for their customers or within their supply chain.
No, the Framework provides a series of outcomes to address cybersecurity risks; it does not specify the actions to take to meet the outcomes. Because standards, technologies, risks, and business requirements vary by organization, the Framework should be customized by different sectors and individual organizations to best suit their risks, situations, and needs. Organizations have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework to achieve positive outcomes will vary.
NIST engaged closely with stakeholders in the development of the Framework, as well as updates to the Framework. Tens of thousands of people from diverse parts of industry, academia, and government have participated in a host of workshops on the development of the Framework 1.0 and 1.1. In addition, NIST has received hundreds of comments representing thousands of detailed suggestions in response to requests for information as well as public drafts of versions of the Framework. More information on the development of the Framework, can be found in the Development Archive.
NIST routinely engages stakeholders through three primary activities. First, NIST continually and regularly engages in community outreach activities by attending and participating in meetings, events, and roundtable dialogs. Second, NIST solicits direct feedback from stakeholders through requests for information (RFI), requests for comments (RFC), and through the NIST Framework team’s email email@example.com. Finally, NIST observes and monitors relevant resources and references published by government, academia, and industry.
NIST is a federal agency within the United States Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. Since 1972, NIST has conducted cybersecurity research and developed cybersecurity guidance for industry, government, and academia.
No. Although it was designed specifically for companies that are part of the U.S. critical infrastructure, many other organizations in the private and public sectors (including federal agencies) are using the Framework. NIST encourages any organization or sector to review and consider the Framework as a helpful tool in managing cybersecurity risks.
The Framework can be used by organizations that already have extensive cybersecurity programs, as well as by those just beginning to think about putting cybersecurity management programs in place. The same general approach works for any organization, although the way in which they make use of the Framework will differ depending on their current state and priorities.
Organizations are using the Framework in a variety of ways. Many have found it helpful in raising awareness and communicating with stakeholders within their organization, including executive leadership. The Framework is also improving communications across organizations, allowing cybersecurity expectations to be shared with business partners, suppliers, and among sectors. By mapping the Framework to current cybersecurity management approaches, organizations are learning and showing how they match up with the Framework’s standards, guidelines, and best practices. Some parties are using the Framework to reconcile and de-conflict internal policy with legislation, regulation, and industry best practice. The Framework also is being used as a strategic planning tool to assess risks and current practices. The Resources and Success Stories sections provide examples of how various organizations have used the Framework.
Yes. An organization can use the Framework to determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.
Yes. The Functions, Categories, and Subcategories of the Framework Core are expressed as outcomes and are applicable whether you are operating your own assets, or another party is operating assets as a service for you. For customized external services such as outsourcing engagements, the Framework can be used as the basis for due diligence with the service provider. For packaged services, the Framework can be used as a set of evaluation criteria for selecting amongst multiple providers. The Framework can also be used to communicate with external stakeholders such as suppliers, services providers, and system integrators.
The Framework provides guidance relevant for the entire organization. The full benefits of the Framework will not be realized if only the IT department uses it. The Framework balances comprehensive risk management, with a language that is adaptable to the audience at hand. More specifically, the Function, Category, and Subcategory levels of the Framework correspond well to organizational, mission/business, and IT and operational technology (OT)/industrial control system (ICS) systems level professionals. This enables accurate and meaningful communication, from the C-Suite to individual operating units and with supply chain partners. It can be especially helpful in improving communications and understanding between IT specialists, OT/ICS operators, and senior managers of the organization.
The Framework can be used as an effective communication tool for senior stakeholders (CIO, CEO, Executive Board, etc.), especially as the importance of cybersecurity risk management receives elevated attention in C-suites and Board rooms. The Functions inside the Framework Core offer a high level view of cybersecurity activities and outcomes that could be used to provide context to senior stakeholders beyond current headlines in the cybersecurity community.
Framework effectiveness depends upon each organization’s goal and approach in its use. Is the organization seeking an overall assessment of cybersecurity-related risks, policies, and processes? Is it seeking a specific outcome such as better management of cybersecurity with its suppliers or greater confidence in its assurances to customers? Effectiveness measures vary per use case and circumstance. Accordingly, the Framework leaves specific measurements to the user’s discretion. Individual entities may develop quantitative metrics for use within that organization or its business partners, but there is no specific model recommended for measuring effectiveness of use.
No. It has been designed to be flexible enough so that users can make choices among products and services available in the marketplace. It encourages technological innovation by aiming for strong cybersecurity protection without being tied to specific offerings or current technology.
The common structure and language of the Cybersecurity Framework is useful for organizing and expressing compliance with an organization’s requirements. The Framework provides a flexible, risk-based approach to help organizations manage cybersecurity risks and achieve its cybersecurity objectives. Those objectives may be informed by and derived from an organization’s own cybersecurity requirements, as well as requirements from sectors, applicable laws, and rules and regulations.
The Framework can help an organization to align and prioritize its cybersecurity activities with its business/mission requirements, risk tolerances, and resources. For example, Framework Profiles can be used to describe the current state and/or the desired target state of specific cybersecurity activities. Current Profiles indicate the cybersecurity outcomes that are currently being achieved, while Target Profiles indicate the outcomes needed to achieve the desired cybersecurity risk management goals. Comparing these Profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives. An action plan to address these gaps to fulfill a given Category or Subcategory of the Framework Core can aid in setting priorities considering the organization’s business needs and its risk management processes.
The Framework Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk, which can also aid in prioritizing and achieving cybersecurity objectives. Tiers help determine the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices.
With an understanding of cybersecurity risk tolerance, organizations can prioritize cybersecurity activities, enabling them to make more informed decisions about cybersecurity expenditures. Organizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services. Risk management programs offers organizations the ability to quantify and communicate adjustments to their cybersecurity programs.
The Framework uses risk management processes to enable organizations to inform and prioritize decisions regarding cybersecurity. It supports recurring risk assessments and validation of business drivers to help organizations select target states for cybersecurity activities that reflect desired outcomes. Thus, the Framework gives organizations the ability to dynamically select and direct improvement in cybersecurity risk management for the IT and ICS environments.
Yes. The approach was developed for use by organizations that span the from the largest to the smallest of organizations.
NIST has a long-standing and on-going effort supporting small business cybersecurity. This is accomplished by providing guidance through websites, publications, meetings, and events. This includes a Small Business Cybersecurity Corner website that puts a variety of government and other cybersecurity resources for small businesses in one site. That includes the Federal Trade Commission’s information about how small businesses can make use of the Cybersecurity Framework.
NIST coordinates its small business activities with the Small Business Administration, the National Initiative For Cybersecurity Education (NICE), National Cyber Security Alliance, the Department of Homeland Security, the FTC, and others.
Small businesses also may find Small Business Information Security: The Fundamentals (NISTIR 7621 Rev. 1) a valuable publication for understanding important cybersecurity activities. It is recommended as a starter kit for small businesses. The publication works in coordination with the Framework, because it is organized according to Framework Functions.