Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Framework FAQs Using The Framework

Cybersecurity Framework Frequently Asked Questions

USING THE FRAMEWORK
21. What is the difference between 'using', 'adopting', and 'implementing' the Framework?
22. Would the Framework have prevented recent highly publicized attacks?
23. Does the Framework address the cost and cost-effectiveness of cybersecurity risk management?
24. How does the Framework relate to information sharing?
25. Can the Framework help managing risk for assets that are not under my direct management?
26. Should the Framework be applied to and by the entire organization or just to the IT department?
27. How can the Framework help an organization with external stakeholder communication?
28. What is the role of senior executives and Board members?
29. How can organizations measure the effectiveness of the Framework?
30. How long does it take to implement the Framework?
31. Does the Framework require using any specific technologies or products?
32. Is a conformity assessment program being planned?
33. Will my organization be regulated against gaps between my current regulation and Framework?
34. Is there a way to find out how organizations have used the Framework, and is there a place to get guidance that would help others?
35. What if Framework guidance or tools do not seem to exist for my sector or community?


USING THE FRAMEWORK

21. What is the difference between 'using', 'adopting', and 'implementing' the Framework?
In a strict sense, these words are fairly interchangeable. They can mean an organization's use of the Framework as a part of its internal processes. NIST generally refers to "using" the Framework.

22. Would the Framework have prevented recent highly publicized attacks?
There are no "silver bullets" when it comes to cybersecurity and protecting an organization. For instance, "Zero-day" attacks exploiting previously unknown software vulnerabilities are especially problematic. However, using the Framework to assess and improve management of cybersecurity risks should put organizations in a much better position to identify, protect, detect, respond to, and recover from an attack, minimizing damage and impact.

23. Does the Framework address the cost and cost-effectiveness of cybersecurity risk management?
Yes. An organization can use the Framework to determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.

24. How does the Framework relate to information sharing?
The Framework provides guidance on how awareness of real and potential threats and vulnerabilities can be used to enhance an organization's cybersecurity program.

25. Can the Framework help managing risk for assets that are not under my direct management?
Yes. The Functions, Categories, and Subcategories of the Framework Core are expressed as outcomes and are applicable whether you are operating your own assets, or another party is operating assets as a service for you. For customized external services such as outsourcing engagements, the Framework can be used as the basis for due diligence with the service provider. For packaged services, the Framework can be used as a set of evaluation criteria for selecting amongst multiple providers.

26. Should the Framework be applied to and by the entire organization or just to the IT department?
The Framework provides guidance relevant for the entire organization. The full benefits of the Framework will not be realized if only the IT department uses it. The Framework balances comprehensive risk management, with a language that is adaptable to the audience at hand. More specifically, the Function, Category, and Subcategory levels of the Framework correspond well to organizational, mission/business, and IT and operational technology (OT)/industrial control system (ICS) systems level professionals. This enables accurate and meaningful communication, from the C-Suite to individual operating units and with supply chain partners. It can be especially helpful in improving communications and understanding between IT specialists, OT/ICS operators, and senior managers of the organization.

27. How can the Framework help an organization with external stakeholder communication?
The Framework can be used to communicate with external stakeholders such as suppliers, services providers, and system integrators. More specifically, the Framework Core is a language in which to communicate, while Framework Profiles can be used to express security requirements.

28. What is the role of senior executives and Board members?
The Framework can be used as an effective communication tool for senior stakeholders (CIO, CEO, Executive Board, etc.), especially as the importance of cybersecurity risk management receives elevated attention in C-suites and Board rooms. The Functions inside the Framework Core offer a high level view of cybersecurity activities and outcomes that could be used to provide context to senior stakeholders beyond current headlines in the cybersecurity community.

29. How can organizations measure the effectiveness of the Framework?
Framework effectiveness depends upon each organization's goal and approach in its use. Is the organization seeking an overall assessment of cybersecurity-related risks, policies, and processes? Is it seeking a specific outcome such as better management of cybersecurity with its suppliers or greater confidence in its assurances to customers? Effectiveness measures vary per use case and circumstance. Accordingly, the Framework leaves specific measurements to the user's discretion. Individual entities may develop quantitative metrics for use within that organization or its business partners, but there is no specific model recommended for measuring effectiveness of use.

30. How long does it take to implement the Framework?
Each organization's cybersecurity resources, capabilities, and needs are different. So the time to implement the Framework will vary among organizations, ranging from as short as a few weeks to several years. The Framework Core's hierarchical design enables organizations to apportion steps between current state and desired state in a way that is appropriate to their resources, capabilities, and needs. This allows organizations to develop a realistic action plan to achieve Framework outcomes in a reasonable time frame, and then build upon that success in subsequent activities.

31. Does the Framework require using any specific technologies or products?
No. It has been designed to be flexible enough so that users can make choices among products and services available in the marketplace. It encourages technological innovation by aiming for strong cybersecurity protection without being tied to specific offerings or current technology.

32. Is a conformity assessment program being planned?
NIST has no plans to develop a conformity assessment program. NIST encourages the private sector to determine its conformity needs, and then develop appropriate conformity assessment programs. NIST is able to discuss conformity assessment-related topics with interested parties.

33. Will my organization be regulated against gaps between my current regulation and Framework?
The Framework was created with the current regulatory environment in mind, and does not replace or augment any existing laws or regulations. The Framework leverages industry best practices and methods for cybersecurity risk management, which are often used in regulation.

34. Is there a way to find out how organizations have used the Framework, and is there a place to get guidance that would help others?
Early users of the Framework are beginning to produce case studies, implementation guides, and other resources. These resources are starting to be available through trade and professional associations. NIST is also listing those items at the Framework Web site on the Industry Resources web page, as we become aware of them.

35. What if Framework guidance or tools do not seem to exist for my sector or community?
The Framework is designed to be applicable to any organization in any part of the critical infrastructure or broader economy. Applications from one sector may work equally well in others. It is expected that many organizations face the same kinds of challenges. There are published case studies and guidance that can be leveraged, even if they are from different sectors or communities. Organizations can encourage associations to produce sector-specific Framework mappings and guidance and organize communities of interest. You may also find value in coordinating within your organization or with others in your sector or community.

Created September 30, 2015, Updated August 25, 2016