Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Questions and Answers

Framework Basics

What is the Framework, and what is it designed to accomplish?

The Framework is based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.

Where do I get started?

The NIST Framework website has a lot of resources to help organizations implement the Framework. The Framework Quick Start Guide  provides direction and guidance to those organizations – in any sector or community – seeking to improve cybersecurity risk management via utilization of the NIST Cybersecurity Framework.  The Resource Repository includes approaches, methodologies, implementation guides, mappings to the Framework, case studies, educational materials, Internet resource centers (e.g., blogs, document stores), example profiles, and other Framework document templates.

Is my organization required to use the Framework?

NIST is not a regulatory agency and the Framework was designed to be voluntarily implemented. However, while most organizations use it on a voluntary basis, some organizations are required to use it. Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, made the Framework mandatory for U.S. federal government agencies, and several federal, state, and foreign governments, as well as insurance organizations have made the Framework mandatory for specific sectors or purposes. Some organizations may also require use of the Framework for their customers or within their supply chain.

Does it provide a recommended checklist of what all organizations should do?

No, the Framework provides a series of outcomes to address cybersecurity risks; it does not specify the actions to take to meet the outcomes.  Because standards, technologies, risks, and business requirements vary by organization, the Framework  should be customized by different sectors and individual organizations to best suit their risks, situations, and needs. Organizations have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework to achieve positive outcomes will vary.

Who helped to develop the Framework?

NIST engaged closely with stakeholders in the development of the Framework, as well as updates to the Framework.  Tens of thousands of people from diverse parts of industry, academia, and government have participated in a host of workshops on the development of the Framework 1.0 and 1.1. In addition, NIST has received hundreds of comments representing thousands of detailed suggestions in response to requests for information as well as public drafts of versions of the Framework.  More information on the development of the Framework, can be found in the Development Archive.

NIST routinely engages stakeholders through three primary activities. First, NIST continually and regularly engages in community outreach activities by attending and participating in meetings, events, and roundtable dialogs. Second, NIST solicits direct feedback from stakeholders through requests for information (RFI), requests for comments (RFC), and through the NIST Framework team’s email cyberframework [at] nist.gov. Finally, NIST observes and monitors relevant resources and references published by government, academia, and industry.

What is NIST? Why is NIST involved?

NIST is a federal agency within the United States Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. Since 1972, NIST has conducted cybersecurity research and developed cybersecurity guidance for industry, government, and academia. 

How can we obtain NIST certification for our Cybersecurity Framework products/implementation?

NIST does not offer certifications or endorsement of Cybersecurity Framework implementations or Cybersecurity Framework-related products or services. NIST has no plans to develop a conformity assessment program. NIST encourages the private sector to determine its conformity needs, and then develop appropriate conformity assessment programs. NIST is able to discuss conformity assessment-related topics with interested parties.

NIST shares industry resources and success stories that demonstrate real-world application and benefits of the Framework. Sharing your own experiences and successes inspires new use cases and helps users more clearly understand Framework application and implementation. To contribute to these initiatives, contact cyberframework [at] nist.gov ().

Do I need reprint permission to use material from a NIST publication?

In general, publications of the National Institute of Standards and Technology, as publications of the Federal government, are in the public domain and not subject to copyright in the United States. Permission to reprint or copy from them is therefore not required. The original source should be credited. The credit line should include this recommended text: Reprinted courtesy of the National Institute of Standards and Technology, U.S. Department of Commerce. Not copyrightable in the United States.

When using the CSF Five Functions Graphic (the five color wheel) the credit line should also include N.Hanacek/NIST.

Public domain official writing that is published in copyrighted books and periodicals may be reproduced in whole or in part without copyright limitations; however, the source should be credited.


Framework Users

Does the Framework apply only to critical infrastructure companies?

No. Although it was designed specifically for companies that are part of the U.S. critical infrastructure, many other organizations in the private and public sectors (including federal agencies) are using the Framework. NIST encourages any organization or sector to review and consider the Framework as a helpful tool in managing cybersecurity risks.

Does the Framework benefit organizations that view their cybersecurity programs as already mature?

The Framework can be used by organizations that already have extensive cybersecurity programs, as well as by those just beginning to think about putting cybersecurity management programs in place. The same general approach works for any organization, although the way in which they make use of the Framework will differ depending on their current state and priorities.

How is the Framework being used today?

Organizations are using the Framework in a variety of ways. Many have found it helpful in raising awareness and communicating with stakeholders within their organization, including executive leadership. The Framework is also improving communications across organizations, allowing cybersecurity expectations to be shared with business partners, suppliers, and among sectors. By mapping the Framework to current cybersecurity management approaches, organizations are learning and showing how they match up with the Framework's standards, guidelines, and best practices. Some parties are using the Framework to reconcile and de-conflict internal policy with legislation, regulation, and industry best practice. The Framework also is being used as a strategic planning tool to assess risks and current practices. The Resources and Success Stories sections provide examples of how various organizations have used the Framework.


Framework Components

What is the Framework Core and how is it used?

The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. An example of Framework outcome language is, "physical devices and systems within the organization are inventoried."

The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization's management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References, such as existing standards, guidelines, and practices for each Subcategory.

What are Framework Profiles and how are they used?

A Framework Profile ("Profile") represents the cybersecurity outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a "Current" Profile (the "as is" state) with a "Target" Profile (the "to be" state). To develop a Profile, an organization can review all of the Categories and Subcategories and, based on business drivers and a risk assessment, determine which are most important. They can also add Categories and Subcategories as needed to address the organization's risks. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations.

What are Framework Implementation Tiers and how are they used?

Framework Implementation Tiers ("Tiers") provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize an organization's practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. During the Tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.

What are Informative References?

Informative References show relationships between any number and combination of organizational concepts (e.g., Functions, Categories, Subcategories, Controls, Control Enhancements) of the Focal Document and specific sections, sentences, or phrases of Reference Documents. The discrete concepts of the Focal Document are called Focal Document elements, and the specific sections, sentences, or phrases of the Reference Document are called Reference Document elements


Using The Framework

Does the Framework address the cost and cost-effectiveness of cybersecurity risk management?

Yes. An organization can use the Framework to determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.

Can the Framework help manage risk for assets that are not under my direct management? How can the Framework help an organization with external stakeholder communication?

Yes. The Functions, Categories, and Subcategories of the Framework Core are expressed as outcomes and are applicable whether you are operating your own assets, or another party is operating assets as a service for you. For customized external services such as outsourcing engagements, the Framework can be used as the basis for due diligence with the service provider. For packaged services, the Framework can be used as a set of evaluation criteria for selecting amongst multiple providers. The Framework can also be used to communicate with external stakeholders such as suppliers, services providers, and system integrators.

Should the Framework be applied to and by the entire organization or just to the IT department?

The Framework provides guidance relevant for the entire organization. The full benefits of the Framework will not be realized if only the IT department uses it. The Framework balances comprehensive risk management, with a language that is adaptable to the audience at hand. More specifically, the Function, Category, and Subcategory levels of the Framework correspond well to organizational, mission/business, and IT and operational technology (OT)/industrial control system (ICS) systems level professionals. This enables accurate and meaningful communication, from the C-Suite to individual operating units and with supply chain partners. It can be especially helpful in improving communications and understanding between IT specialists, OT/ICS operators, and senior managers of the organization.

What is the role of senior executives and Board members?

The Framework can be used as an effective communication tool for senior stakeholders (CIO, CEO, Executive Board, etc.), especially as the importance of cybersecurity risk management receives elevated attention in C-suites and Board rooms. The Functions inside the Framework Core offer a high level view of cybersecurity activities and outcomes that could be used to provide context to senior stakeholders beyond current headlines in the cybersecurity community.

How can organizations measure the effectiveness of the Framework?

Framework effectiveness depends upon each organization's goal and approach in its use. Is the organization seeking an overall assessment of cybersecurity-related risks, policies, and processes? Is it seeking a specific outcome such as better management of cybersecurity with its suppliers or greater confidence in its assurances to customers? Effectiveness measures vary per use case and circumstance. Accordingly, the Framework leaves specific measurements to the user's discretion. Individual entities may develop quantitative metrics for use within that organization or its business partners, but there is no specific model recommended for measuring effectiveness of use.

 

Do I need to use a consultant to implement or assess the Framework?

No.  While some organizations leverage the expertise of external organizations, others implement the Framework on their own.  NIST does not provide recommendations for consultants or assessors.

Does the Framework require using any specific technologies or products?

No. It has been designed to be flexible enough so that users can make choices among products and services available in the marketplace. It encourages technological innovation by aiming for strong cybersecurity protection without being tied to specific offerings or current technology.

What if Framework guidance or tools do not seem to exist for my sector or community?

The Framework is designed to be applicable to any organization in any part of the critical infrastructure or broader economy. Applications from one sector may work equally well in others. It is expected that many organizations face the same kinds of challenges. There are published case studies and guidance that can be leveraged, even if they are from different sectors or communities. Organizations can encourage associations to produce sector-specific Framework mappings and guidance and organize communities of interest. You may also find value in coordinating within your organization or with others in your sector or community.

How is cyber resilience reflected in the Cybersecurity Framework?

NIST Special Publication (SP) 800-160, Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy secure systems, defines cyber resiliency as the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources regardless of the source. Cyber resiliency has a strong relationship to cybersecurity but, like privacy, represents a distinct problem domain and solution space. Cyber resiliency supports mission assurance, for missions which depend on IT and OT systems, in a contested environment. The Cybersecurity Framework specifically addresses cyber resiliency through the ID.BE-5 and PR.PT-5 subcategories, and through those within the Recovery function. Other Cybersecurity Framework subcategories may help organizations determine whether their current state adequately supports cyber resiliency, whether additional elements are necessary, and how to close gaps, if any. Many organizations find that they need to ensure that the target state includes an effective combination of fault-tolerance, adversity-tolerance, and graceful degradation in relation to the mission goals. The Cybersecurity Framework supports high-level organizational discussions; additional and more detailed recommendations for cyber resiliency may be found in various cyber resiliency models/frameworks and in guidance such as in SP 800-160 Vol. 2.

What is the Cybersecurity Framework’s role in supporting an organization’s compliance requirements?

The common structure and language of the Cybersecurity Framework is useful for organizing and expressing compliance with an organization’s requirements. The Framework provides a flexible, risk-based approach to help organizations manage cybersecurity risks and achieve its cybersecurity objectives. Those objectives may be informed by and derived from an organization’s own cybersecurity requirements, as well as requirements from sectors, applicable laws, and rules and regulations.

How do I use the Cybersecurity Framework to prioritize cybersecurity activities?

The Framework can help an organization to align and prioritize its cybersecurity activities with its business/mission requirements, risk tolerances, and resources. For example, Framework Profiles can be used to describe the current state and/or the desired target state of specific cybersecurity activities. Current Profiles indicate the cybersecurity outcomes that are currently being achieved, while Target Profiles indicate the outcomes needed to achieve the desired cybersecurity risk management goals. Comparing these Profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives. An action plan to address these gaps to fulfill a given Category or Subcategory of the Framework Core can aid in setting priorities considering the organization’s business needs and its risk management processes.

The Framework Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk, which can also aid in prioritizing and achieving cybersecurity objectives. Tiers help determine the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices.

With an understanding of cybersecurity risk tolerance, organizations can prioritize cybersecurity activities, enabling them to make more informed decisions about cybersecurity expenditures.  Organizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services. Risk management programs offers organizations the ability to quantify and communicate adjustments to their cybersecurity programs.

The Framework uses risk management processes to enable organizations to inform and prioritize decisions regarding cybersecurity. It supports recurring risk assessments and validation of business drivers to help organizations select target states for cybersecurity activities that reflect desired outcomes. Thus, the Framework gives organizations the ability to dynamically select and direct improvement in cybersecurity risk management for the IT and ICS environments.


Small Business Use

Does the Framework apply to small businesses?

Yes. The approach was developed for use by organizations that span the from the largest to the smallest of organizations.

Will NIST provide guidance for small businesses? Is there a starter kit or guide for organizations just getting started with cybersecurity?

NIST has a long-standing and on-going effort supporting small business cybersecurity. This is accomplished by providing guidance through websites, publications, meetings, and events. This includes a Small Business Cybersecurity Corner website that puts a variety of government and other cybersecurity resources for small businesses in one site. That includes the Federal Trade Commission’s information about how small businesses can make use of the Cybersecurity Framework.

NIST coordinates its small business activities with the Small Business Administration, the National Initiative For Cybersecurity Education (NICE), National Cyber Security Alliance,   the Department of Homeland Security, the FTC, and others.

Small businesses also may find Small Business Information Security: The Fundamentals (NISTIR 7621 Rev. 1) a valuable publication for understanding important cybersecurity activities. It is recommended as a starter kit for small businesses. The publication works in coordination with the Framework, because it is organized according to Framework Functions.


U.S. Federal Agency Use

Are U.S. federal agencies required to apply the Framework to federal information systems?

Yes. On May 11, 2017, the President issued an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. In part, the order states that “Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order” and “describe the agency's action plan to implement the Framework.” NIST developed NIST Interagency Report (IR) 8170: Approaches for Federal Agencies to Use the Cybersecurity Framework to provide federal agencies with guidance on how the Cybersecurity Framework can help agencies to complement existing risk management practices and improve their cybersecurity risk management programs.

What is the relationship between the Framework and NIST's Managing Information Security Risk: Organization, Mission, and Information System View (Special Publication 800-39)?

The Framework uses risk management processes to enable organizations to inform and prioritize cybersecurity decisions. It can be adapted to provide a flexible, risk-based implementation that can be used with a broad array of risk management processes, including, for example, SP 800-39. SP 800-39 describes the risk management process employed by federal organizations, and optionally employed by private sector organizations. The process is composed of four distinct steps: Frame, Assess, Respond, and Monitor. SP 800-39 further enumerates three distinct organizational Tiers at the Organizational, Mission/Business, and System level, and risk management roles and responsibilities within those Tiers. Organizations using the Framework may leverage SP 800-39 to implement the high-level risk management concepts outlined in the Framework. Within the SP 800-39 process, the Cybersecurity Framework provides a language for communicating and organizing. Further, Framework Profiles can be used to express risk disposition, capture risk assessment information, analyze gaps, and organize remediation.

What is the relationship between the Framework and NIST's Guide for Applying the Risk Management Framework to Federal Information Systems (SP 800-37)?

Federal agencies manage information and information systems according to the Federal Information Security Management Act of 2002 (FISMA) and a suite of related standards and guidelines. Perhaps the most central FISMA guideline is NIST Special Publication (SP) 800-37 Risk Management Framework for Federal Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, which details the Risk Management Framework (RMF). The RMF seven-step process provides a method of coordinating the interrelated FISMA standards and guidelines to ensure systems are provisioned, assessed, and managed with appropriate security including incorporation of key Cybersecurity Framework, privacy risk management, and systems security engineering concepts. NIST held an open workshop for additional stakeholder engagement and feedback on the discussion draft of the Risk Management Framework, including its consideration of the Cybersecurity Framework.

NIST Interagency Report (IR) 8170: Approaches for Federal Agencies to Use the Cybersecurity Framework identifies three possible uses of the Cybersecurity Framework in support of the RMF processes: “Maintain a Comprehensive Understanding of Cybersecurity Risk,” “Report Cybersecurity Risks,” and “Inform the Tailoring Process.” The CSF Core can help agencies to better-organize the risks they have accepted and the risk they are working to remediate across all systems, use the reporting structure that aligns to SP 800-53 r5, and enables agencies to reconcile mission objectives with the structure of the Core.

For more information, please see the CSF's Risk Management Framework page


Relationship Between the Framework and Other Approaches and Initiatives

What is the relationship between the Cybersecurity Framework and the NICE Cybersecurity Workforce Framework?

Workforce plays a critical role in managing cybersecurity, and many of the Cybersecurity Framework outcomes are focused on people and the processes those people perform. While some outcomes speak directly about the workforce itself (e.g., roles, communications, training), each of the Core subcategory outcomes is accomplished as a task (or set of tasks) by someone in one or more work roles. One could easily append the phrase “by skilled, knowledgeable, and trained personnel” to any one of the 108 subcategory outcomes. From this perspective, the Cybersecurity Framework provides the “what” and the NICE Framework provides the “by whom.”

While the Cybersecurity Framework and the NICE Framework were developed separately, each complements the other by describing a hierarchical approach to achieving cybersecurity goals.

The Cybersecurity Workforce Framework was developed and is maintained by the National Initiative for Cybersecurity Education (NICE), a partnership among government, academia, and the private sector with a mission to energize and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development. Where the Cybersecurity Framework provides a model to help identify and prioritize cybersecurity actions, the NICE Framework (NIST Special Publication 800-181) describes a detailed set of work roles, tasks, and knowledge, skills, and abilities (KSAs) for performing those actions.

The NIST Roadmap for Improving Critical Infrastructure Cybersecurity, a companion document to the Cybersecurity Framework, reinforces the need for a skilled cybersecurity workforce. It recognizes that, as cybersecurity threat and technology environments evolve, the workforce must adapt in turn. The NICE program supports this vision and includes a strategic goal of helping employers recruit, hire, develop, and retain cybersecurity talent. One objective within this strategic goal is to publish and raise awareness of the NICE Framework and encourage adoption. Adoption, in this case, means that the NICE Framework is used as a reference resource for actions related to cybersecurity workforce, training, and education.

What is the relationship between the Cybersecurity Framework and the NIST Privacy Framework?

NIST modeled the development of the Privacy Framework on the successful, open, transparent, and collaborative approach used to develop the Cybersecurity Framework. While good cybersecurity practices help manage privacy risk by protecting information, those cybersecurity measures alone are not sufficient to address the full scope of privacy risks that also arise from how organizations collect, store, use, and share this information to meet their mission or business objective, as well as how individuals interact with products and services.

During the development process, numerous stakeholders requested alignment with the structure of the Cybersecurity Framework so the two frameworks could more easily be used together. In response to this feedback, the Privacy Framework follows the structure of the Cybersecurity Framework, composed of three parts: the Core, Profiles, and Implementation Tiers.

This structure enables a risk- and outcome-based approach that has contributed to the success of the Cybersecurity Framework as an accessible communication tool. In addition, the alignment aims to reduce complexity for organizations that already use the Cybersecurity Framework.

Details about how the Cybersecurity Framework and Privacy Framework functions align and intersect can be found in the Privacy Framework FAQs

Is the Framework being aligned with international cybersecurity initiatives and standards?

While the Framework was born through U.S. policy, it is not a "U.S. only" Framework. Private sector stakeholders made it clear from the outset that global alignment is important to avoid confusion and duplication of effort, or even conflicting expectations in the global business environment. These needs have been reiterated by multi-national organizations. The importance of international standards organizations and trade associations for acceptance of the Framework's approach has been widely recognized. Some countries and international entities are adopting approaches that are compatible with the framework established by NIST, and others are considering doing the same. The Framework has been translated into several other languages. NIST has been holding regular discussions with many nations and regions, and making noteworthy internationalization progress. NIST is actively engaged with international standards-developing organizations to promote adoption of approaches consistent with the Framework.

What is the relationship between the Framework and NIST's Cyber-Physical Systems (CPS) Framework?

The Cybersecurity Framework provides the underlying cybersecurity risk management principles that support the new Cyber-Physical Systems (CPS) Framework. The CPS Framework document is intended to help manufacturers create new CPS that can work seamlessly with other smart systems that bridge the physical and computational worlds.

The CPS Framework includes a structure and analysis methodology for CPS. The goal of the CPS Framework is to develop a shared understanding of CPS, its foundational concepts and unique dimensions, promoting progress through the exchange of ideas and integration of research across sectors and to support development of CPS with new functionalities.

What is the relationships between Internet of Things (IoT) and the Framework? Do we need an ‘IoT Framework?’

The Cybersecurity Framework is applicable to many different technologies, including Internet of Things (IoT) technologies. Developing separate frameworks of cybersecurity outcomes specific to IoT might risk losing a critical mass of users aligning their cybersecurity outcomes to the Cybersecurity Framework. To retain that alignment, NIST recommends continued evaluation and evolution of the Cybersecurity Framework to make it even more meaningful to IoT technologies. NIST welcomes observations from all parties regarding the Cybersecurity Framework’s relevance to IoT, and will vet those observations with the NIST Cybersecurity for IoT Program.

What is the relationship between the Framework and the Baldrige Cybersecurity Excellence Builder?

The Baldrige Cybersecurity Excellence Builder blends the systems perspective and business practices of the Baldrige Excellence Framework with the concepts of the Cybersecurity Framework. More specifically, the Cybersecurity Framework aligns organizational objectives, strategy, and policy landscapes into a cohesive cybersecurity program that easily integrates with organizational enterprise risk governance. These Cybersecurity Framework objectives are significantly advanced by the addition of the time-tested and trusted systems perspective and business practices of the Baldrige Excellence Framework.  The builder responds to requests from many organizations to provide a way for them to measure how effectively they are managing cybersecurity risk. 

What is the relationship between threat and cybersecurity frameworks?

Threat frameworks are particularly helpful to understand current or potential attack lifecycle stages of an adversary against a given system, infrastructure, service, or organization.  They characterize malicious cyber activity, and possibly related factors such as motive or intent, in varying degrees of detail.  Threat frameworks stand in contrast to the controls of cybersecurity frameworks that provide safeguards against many risks, including the risk that adversaries may attack a given system, infrastructure, service, or organization.  While NIST has not promulgated or adopted a specific threat framework, we advocate the use of both types of frameworks as tools to make risk decisions and evaluate the safeguards thereof.  In particular, threat frameworks may provide insights into which safeguards are more important at this instance in time, given a specific threat circumstance.  As circumstances change and evolve, threat frameworks provide the basis for re-evaluating and refining risk decisions and safeguards using a cybersecurity framework.  A threat framework can standardize or normalize data collected within an organization or shared between them by providing a common ontology and lexicon.

Example threat frameworks include the U.S. Office of the Director of National Intelligence (ODNI) Cyber Threat Framework (CTF), Lockheed Martin’s Cyber Kill Chain®, and the Mitre Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) model.  Each threat framework depicts a progression of attack steps where successive steps build on the last step.  At the highest level of the model, the ODNI CTF relays this information using four Stages – Preparation, Engagement, Presence, and Consequence.  These Stages are de-composed into a hierarchy of Objectives, Actions, and Indicators at three increasingly-detailed levels of the CTF, empowering professionals of varying levels of understanding to participate in identifying, assessing, managing threats.  This property of CTF, enabled by the de-composition and re-composition of the CTF structure, is very similar to the Functions, Categories, and Subcategories of the Cybersecurity Framework.  In its simplest form, the five Functions of Cybersecurity Framework – Identify, Protect, Detect, Respond, and Recover – empower professionals of many disciplines to participate in identifying, assessing, and managing security controls.  It is recommended that organizations use a combination of cyber threat frameworks, such as the ODNI Cyber Threat Framework, and cybersecurity frameworks, such as the Cybersecurity Framework, to make risk decisions.

What is the relationship between the CSF and the National Online Informative References (OLIR) Program?

The National Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their cybersecurity, privacy, and workforce documents and elements of other cybersecurity, privacy, and workforce documents like the Cybersecurity Framework. Informative references were introduced in The Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) as simple prose mappings that only noted a relationship existed, but not the nature of the relationship. In addition, informative references could not be readily updated to reflect changes in the relationships as they were part of the Cybersecurity Framework document itself.

At this stage of the OLIR Program evolution, the initial focus has been on relationships to cybersecurity and privacy documents. The OLIRs are in a simple standard format defined by NISTIR 8278A (Formerly NISTIR 8204), National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers and they are searchable in a centralized repository. By following this approach, cybersecurity practitioners can use the OLIR Program as a mechanism for communicating with owners and users of other cybersecurity documents. You can find the catalog at: https://csrc.nist.gov/projects/olir/informative-reference-catalog.

Refer to NIST Interagency or Internal Reports (IRs)  NISTIR 8278  and NISTIR 8278A  which detail the OLIR program. The NISTIR 8278 focuses on the OLIR program overview and uses while the NISTIR 8278A provides submission guidance for OLIR developers.

The NIST OLIR program welcomes new submissions. For those interested in developing informative references, NIST is happy to aid in this process and can be contacted at olir [at] nist.gov.


International 

What is the difference between a translation and adaptation of the Framework?

 A translation is considered a direct, literal translation of the language of Version 1.0 or 1.1 of the Framework. No content or language is altered in a translation. Current translations can be found on the International Resources page.

An adaptation is considered a version of the Framework that substantially references language and content from Version 1.0 or 1.1 but incorporates new, original content. An adaptation can be in any language. Current adaptations can be found on the International Resources page.


Updates to the Cybersecurity Framework

Why is NIST deciding to update the Framework now toward CSF 2.0?

The NIST Cybersecurity Framework was intended to be a living document that is refined, improved, and evolves over time.  These updates help the Framework keep pace with technology and threat trends, integrate lessons learned, and move best practice to common practice. NIST initially produced the Framework in 2014 and updated it in April 2018 with CSF 1.1. Based on stakeholder feedback, in order to reflect the ever-evolving cybersecurity landscape and to help organizations more easily and effectively manage cybersecurity risk, NIST is planning a new, more significant update to the Framework: CSF 2.0.

How can I engage in the Framework update process? 

NIST intends to rely on and seek diverse stakeholder feedback during the process to update the Framework.  This will include workshops, as well as feedback on at least one framework draft.  You can learn about all the ways to engage on the CSF 2.0 how to engage page.

Should I use CSF 1.1 or wait for CSF 2.0? 

NIST expects that the update of the Framework will be a year plus long process.  Stakeholders are encouraged to adopt Framework 1.1 during the update process.  Recognizing the investment that organizations have made to implement the Framework, NIST will consider backward compatibility during the update of the Framework.


Communication with NIST

Does NIST encourage translations of the Cybersecurity Framework? If so, is there a procedure to follow?

NIST's policy is to encourage translations of the Framework. After an independent check on translations, NIST typically will post links to an external website with the translation.  These links appear on the Cybersecurity Framework’s International Resources page.

Those wishing to prepare translations are encouraged to use the Cybersecurity Framework Version 1.1.

Who can answer additional questions regarding the Framework?

Review the NIST Cybersecurity Framework web page for more information, contact NIST via email at cyberframework [at] nist.gov, and check with sector or relevant trade and professional associations.

How do I sign up for the mailing list to receive updates on the NIST Cybersecurity Framework?

To receive updates on the NIST Cybersecurity Framework, you will need to sign up for NIST E-mail alerts. The sign-up box is located at the bottom-right hand side on each Cybersecurity Framework-based web page, or on the left-hand side of other NIST pages. Once you enter your email address and select a password, you can then select "Cybersecurity Framework" under the "Subscription Topics" to begin receiving updates on the Framework. If you see any other topics or organizations that interest you, please feel free to select those as well. You may change your subscription settings or unsubscribe at anytime.

How can I share my thoughts or suggestions for improvements to the Cybersecurity Framework with NIST? 

There are many ways to participate in Cybersecurity Framework.

Participation in NIST Workshops, RFI responses, and public comment periods for work products are excellent ways to inform NIST Cybersecurity Framework documents. Less formal but just as meaningful, as you have observations and thoughts for improvement, please send those to . We value all contributions through these processes, and our work products are stronger as a result.

Participation in the larger Cybersecurity Framework ecosystem is also very important. NIST's vision is that various sectors, industries, and communities customize Cybersecurity Framework for their use. Examples of these customization efforts can be found on the CSF profile and the resource pages.

If you develop resources, NIST is happy to consider them for inclusion in the Resources page.

Thank you very much for your offer to help. Please keep us posted on your ideas and work products.

How can I engage with NIST relative to the Cybersecurity Framework?

NIST welcomes active participation and suggestions to inform the ongoing development and use of the Cybersecurity Framework.

Public and private sector stakeholders are encouraged to participate in NIST workshops and submit public comments to help improve the NIST Cybersecurity Framework and related guidelines and resources. Also, NIST is eager to hear from you about your successes with the Cybersecurity Framework and welcomes submissions for our Success Stories, Risk Management Resources, and Perspectives pages. Lastly, please send your observations and ideas for improving the CSF to cyberframework [at] nist.gov ()title="mailto:cyberframework [at] nist.gov". We value all contributions, and our work products are stronger and more useful as a result!

Created February 13, 2018, Updated January 6, 2023