Washington, DC - The NIST Cybersecurity Framework consists of standards, guidelines and best practices to manage cybersecurity-related risk. The Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. We spoke with Amy Mahn, an international policy specialist in the NIST Applied Cybersecurity Division, about the Framework, who can use it and how it's evolving.

What is the Cybersecurity Framework and what was it created to accomplish?

AVM: The Framework for Improving Critical Infrastructure Cybersecurity, or the Cybersecurity Framework as many of us refer to it, is voluntary guidance for organizations to better manage and reduce their cybersecurity risk. NIST developed the Framework at the direction of the White House with the active participation of industry, academia and multiple levels of government. It’s designed to be a “common language” that spans the entirety of cybersecurity risk management and that can be easily understood by people with all levels of cybersecurity expertise. Five functions comprise the core of the Framework: Identify, Protect, Detect, Respond and Recover. Under these overarching functions, the Framework provides a catalog of cybersecurity outcomes based on existing standards, guidelines and practices that organizations can customize to better manage and reduce their cybersecurity risk.

Although we designed the Framework specifically for companies that are part of the U.S. critical infrastructure, many other organizations in the private and public sectors are using and gaining value from the approach. A 2017 Executive Order requires federal agencies to use it, but the Cybersecurity Framework remains voluntary for industry. Twenty-one states are using it, and we have also seen an increase in the use and adaptation of the Framework internationally. 

Why should businesses use the Cybersecurity Framework? Are there certain kinds and sizes of companies that should use it? How about others?

AVM: NIST encourages all organizations—for-profit businesses, not-for-profit organizations and government agencies—to review and consider using the Framework to understand and manage their cybersecurity risk. Because NIST and our collaborators designed the Framework to be flexible enough to be adopted by 16 disparate U.S. critical infrastructure sectors, e.g. utilities, financial services, agriculture, health care, etc., we ended up creating something that is applicable to all types of businesses, including smaller organizations with fewer IT resources, regardless of the state of their current cybersecurity practices. It offers a common and understandable language that all can use to communicate their cybersecurity risks and expectations to suppliers and customers alike. The Framework is risk-based, so it allows organizations to determine the appropriate level of cybersecurity for their individual risk environment, requirements and business objectives. The Cybersecurity Framework is easily paired with the many excellent standards and practices that already exist, allowing users to take advantage of what’s working now and what will emerge over time. It’s also valuable as a living document because this voluntary risk management tool can evolve faster than regulation and legislation in the face of quickly changing technology and threats. NIST updates the Framework based on regular input from stakeholders as we learn from their customized implementations. 

I’d like to emphasize that every organization faces its own set of cybersecurity challenges, and it’s not an issue that just larger companies need to address. There is a great risk to small- and medium-sized businesses as well as the larger supply chain upon which the U.S. relies for its economy and national security. We encourage all businesses to consider using the Framework and adapt it in ways that support their cybersecurity and maximize their business value.

Does it provide a recommended checklist of what all organizations should do?

AVM: The Framework is guidance that is meant to be adapted to varying sectors, organizations, requirements and technologies. It should be customized by different sectors and individual organizations to best suit their risks, situations and needs. Organizations will continue to have unique risks—different threats, different vulnerabilities, different risk tolerances—and how they implement the practices in the Framework to achieve positive outcomes will vary. The Framework should not be implemented as an un-customized checklist or a one-size-fits-all solution.

For small businesses, cybersecurity can be beyond the skills of the people who work there. They might be too small to have an IT department. How can they use the Framework to defend themselves?

AVM: We recognize that smaller businesses, especially those with few IT resources, can have special challenges assessing cybersecurity risks and implementing risk management measures.

The tiered structure of the Cybersecurity Framework holds the key to applying it in a small business setting. Often the extended Cybersecurity Framework catalog of outcomes is too detailed for the initial efforts of small businesses. If so, businesses will find value in reflecting on the five functions and their corresponding outcomes. The functions—Identify, Protect, Detect, Respond, and Recover—remind us of how important it is to balance proactive safeguards while preparing for worst-case scenarios. This balance is especially important in small business settings where a worst-case incident could drastically affect the solvency of a business.

Generally, NIST has always placed emphasis on meeting the cybersecurity needs of small businesses by providing guidance through various publications, meetings and events. Materials and an associated program description are available at the Computer Security Resource Center.

One particularly useful resource for better understanding cybersecurity activities from a small business perspective is Small Business Information Security: The Fundamentals (NISTIR 7621 Rev. 1). We recommend this guide, which is organized according to the five Framework functions, as a starter kit for small businesses. 

We anticipate developing even more resources to help small- and medium-sized businesses within the coming year. The president signed the NIST Small Business Cybersecurity Act in early August 2018, which requires the director of NIST, within one year, to issue guidance and a consistent set of resources to help small- and medium-sized businesses identify, assess and reduce their cybersecurity risks. NIST will be producing more accessible information and resources, and amplify awareness of helpful resources produced by others that will be handy for these smaller organizations as they address cybersecurity risks and explore implementing the Framework.

How is the framework evolving? Any insight into future revisions?

AVM: We just released our first update, Framework version 1.1, in April of this year. This version includes language and features that stakeholders identified as important, including supply chain risk management, coordinated vulnerability disclosure, and authentication and identity proofing. There’s a new section on the relevance and utility of the Framework for organizational self-assessment, and we’re also updating the Framework’s Informative References to reflect the advancement of standards and guidelines by private and public-sector organizations. That said, Framework v1.1 is still fully compatible with the first version. When considering using the Framework, NIST recommends that organizations incorporate the additional content and functionality of v1.1 based on the needs of the individual organization.

We will continue to refine and improve the Framework over time to keep pace with the evolution of technology and threats, integrate lessons learned, and establish best practices as common practices. As part of that process, we will ask our stakeholders every three years whether it’s time to consider an update and what they would like to see in that update. But because we recognize that cybersecurity threats and the general risk landscape changes quickly, our decisions about the timing of updates will also be based on user experiences, technological advances and standards innovations.

What do you wish we had asked you?

AVM: We always appreciate a chance to highlight the increased work we have been doing at NIST on seeking greater international alignment of the Framework and where we’re headed in this area. 

The Cybersecurity Enhancement Act of 2014 affirmed and emphasized our role in driving global alignment in consultation with international organizations and governments of other nations. To do this, we have been increasing our Cybersecurity Framework-related engagement efforts with partners and supporting participation in standards-developing organizations.

We don’t see the Framework as a “U.S. only” document, as it references globally recognized standards, guidelines and practices. This allows the Framework to be used to more easily and efficiently manage new and evolving risks outside of the U.S. Parties may prefer to reference the recently published ISO/IEC Technical Report 27103, Cybersecurity and ISO and IEC Standards, which incorporates language from the first version of the Framework but does not mention the Framework specifically. It provides a nice, neutral outlet for the Framework’s language, so countries can use its content while citing their alignment with an internationally accepted document. 

We have also ramped up our engagement with other countries. This includes recent meetings, arranged by the U.S. Commerce Department’s International Trade Administration, with Brazilian government and industry organizations to encourage them to adopt the Framework. While countries like Japan, Israel, Italy and Bermuda have already translated and adapted the Framework for their needs, we have also noticed even more translations and adaptations of the Framework surfacing recently.

The government and various industries in Uruguay, for instance, have been using it. We also know that Switzerland has recently incorporated it into a minimum standard for improving information and communications technology resilience. I’d also like to note that NIST is currently producing a Spanish translation of the Framework that will help make the content accessible to an even wider audience. 

And if we can ask you for a bonus question … another favorite one that we often hear is “Where can I go for more information on the Framework?” To learn more about the updates in Framework v1.1, our recent international efforts, and everything else related to the Framework, please visit our website. You can also find links to the international translations and adaptations mentioned earlier as well as others on our international resources page. 

We also encourage collaboration at the NIST Cybersecurity Risk Management Conference (#NISTCRM2018) taking place in Baltimore, Maryland, on November 7-9, 2018. This newly expanded conference is a continuation of the annual Cybersecurity Framework workshops from past years, with the addition of topics associated with NIST projects such as the Risk Management Framework, Supply Chain Risk Management, and Privacy. More information, including the latest version of the agenda and instructions for registration can be found here.