Jump to content

www.nist.gov/cyberframework/frequently-asked-questions

Careers
Shop
Visit

Search

NIST Menu

Topics Expand or Collapse
Publications
Labs & Major Programs Expand or Collapse
Services & Resources Expand or Collapse
News & Events Expand or Collapse
About NIST Expand or Collapse

Cybersecurity Framework

cyberframework Expand or Collapse

Frequently Asked Questions

Share

Facebook Google Plus Twitter

Framework Basics

What is the Framework, and what is it designed to accomplish?

Is my organization required to use the Framework?

Does it provide a recommended checklist of what all organizations should do?

Why should an organization use the Framework?

When and how was the Framework developed?

What is the purpose of Executive Order 13636?

Who from the private sector helped to develop the Framework?

Why is NIST involved? What is NIST's role in setting cybersecurity standards?

Framework Users

What critical infrastructure does the Framework address?

Does the Framework apply only to critical infrastructure companies?

Does the Framework benefit organizations that view their cybersecurity programs as already mature?

How is the Framework being used today?

Framework Components

What is the Framework Core and how is it used?

What are Framework Profiles and how are they used?

What are Framework Implementation Tiers and how are they used?

Are the Tiers equivalent to maturity levels?

What is the relationship between the Framework and NIST Roadmap for Improving Critical Infrastructure Cybersecurity?

Using the Framework

What is the difference between 'using', 'adopting', and 'implementing' the Framework?

Would the Framework have prevented recent highly publicized attacks?

Does the Framework address the cost and cost-effectiveness of cybersecurity risk management?

How does the Framework relate to information sharing?

Can the Framework help managing risk for assets that are not under my direct management?

Should the Framework be applied to and by the entire organization or just to the IT department?

How can the Framework help an organization with external stakeholder communication?

What is the role of senior executives and Board members?

How can organizations measure the effectiveness of the Framework?

How long does it take to implement the Framework?

Does the Framework require using any specific technologies or products?

Is a conformity assessment program being planned?

Will my organization be regulated against gaps between my current regulation and Framework?

Is there a way to find out how organizations have used the Framework, and is there a place to get guidance that would help others?

What if Framework guidance or tools do not seem to exist for my sector or community?

Why did NIST create the Perspectives web pages?

What are Success Stories?

How is cyber resilience reflected in the Cybersecurity Framework?

Small Business Use

Does the Framework apply to small businesses?

Will NIST provide guidance for small businesses? Is there a starter kit or guide for organizations, just getting started with cybersecurity?

Will NIST provide guidance for small businesses? Is there a starter kit or guide for organizations just getting started with cybersecurity?

U.S. Federal Agency Use

Are U.S. Federal agencies required to apply the Framework to Federal information systems?

Can U.S. Federal agencies apply the Framework to Federal information systems?

How is NIST integrating the Cybersecurity Framework into the cybersecurity risk management practices of federal agencies?

Why did NIST author Interagency Publication 8170?

What is the relationship between the Framework and NIST's Managing Information Security Risk: Organization, Mission, and Information System View (Special Publication 800-39)?

What is the relationship between the Framework and NIST's Guide for Applying the Risk Management Framework to Federal Information Systems (SP 800-37)?

What type of NIST publication is The Framework for Improving Critical Infrastructure Cybersecurity?

How is NIST integrating the Cybersecurity Framework into the cybersecurity risk management practices of federal agencies?

Relationship Between the Framework and Other Approaches and Initiatives

What is the relationship between the Cybersecurity Framework and the NIST Privacy Framework currently under development?

What is the relationship between the Framework and the DHS Critical Infrastructure Cyber Community (C³) Voluntary Program?

What is the relationship between the Framework and the DHS Cyber Resilience Review?

Is the Framework being aligned with international cybersecurity initiatives and standards?

What is the relationship between the Framework and NIST's Cyber-Physical Systems (CPS) Framework?

What is the relationships between Internet of Things (IoT) and the Framework? Do we need an ‘IoT Framework

What is the relationship between the Framework and the Baldrige Cybersecurity Excellence Builder?

What is the relationship between threat and cybersecurity frameworks?

What is the difference between a translation and adaptation of the Framework?

Updates to the Cybersecurity Framework

How often will NIST update the Framework?

How did NIST process the V1.1 update?

How did NIST determine features for this update?

What changes are included in Framework V1.1?

Were there changes proposed to the Framework in light of progress made in areas identified in the 2014 Roadmap?

What does this mean for organizations that already have incorporated the current Framework?

Should I use V1.0 or V1.1?

What assistance will NIST provide to organizations that choose to incorporate the additional content and functionality of the new version of the Framework?

Informative References

What are Informative References?

What are online Informative References (OLIR)?

Why were online Informative References necessary?

Where can I comment and provide feedback about the Online Informative Reference Program?

What is the difference between a Reference and a Reference Document?

Are References publicly available?

Who can author and submit References?

If more than one Reference is submitted for a single Reference Document, which one should I use?

What if I disagree with a Reference assertion, can I provide feedback?

Are Federal agencies and government contractors required to use the Framework References?

How should federal agencies use the Framework References?

Communicating with NIST

How can I ensure resources or case studies my organization has released publicly are visible for others to use?

Does NIST encourage translations of the Cybersecurity Framework? If so, is there a procedure to follow?

Who can answer additional questions regarding the Framework?

How do I sign up for the mailing list to receive updates on the NIST Cybersecurity Framework?

How can I share my thoughts or suggestions for improvements to the Cybersecurity Framework with NIST?

Cybersecurity

Created February 11, 2015, Updated May 02, 2019

twitter
facebook
linkedin
Instagram
youtube
rss
govdelivery

HEADQUARTERS
100 Bureau Drive
Gaithersburg, MD 20899
301-975-2000

Webmaster | Contact Us | Our Other Offices

How are we doing? Feedback

Topics
Publications
Labs & Major Programs
Services & Resources
News & Events
About NIST

Privacy Statement
Privacy Policy
Security Notice
Accessibility Statement
NIST Privacy Program
No Fear Act Policy

Disclaimer
FOIA
Environmental Policy Statement
Cookie Disclaimer
Scientific Integrity Summary
NIST Information Quality Standards

Business USA
Commerce.gov
Healthcare.gov
Science.gov
USA.gov