The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks. The framework has been translated to many languages and is used by the governments of Japan and Israel, among others. It “provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes.” Version 1.0 was published by the US National Institute of Standards and Technology in 2014, originally aimed at operators of critical infrastructure. It is being used by a wide range of businesses and organizations and helps shift organizations to be proactive about risk management. In 2017, a draft version of the framework, version 1.1, was circulated for public comment. Version 1.1 was announced and made publicly available on April 16, 2018]Version 1.1 is still compatible with version 1.0. The changes include guidance on how to perform self-assessments, additional detail on supply chain risk management and guidance on how to interact with supply chain stakeholders.
A security framework adoption study reported that 70% of the surveyed organizations see NIST’s framework as a popular best practice for computer security, but many note that it requires significant investment.
“Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.”
- Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
- Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.
- Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
- Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
- Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.
- Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.