What is the Framework, and what is it designed to accomplish?
The Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
Does it provide a recommended checklist of what all organizations should do?
The Framework is guidance. It should be customized by different sectors and individual organizations to best suit their risks, situations, and needs. Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework to achieve positive outcomes will vary. The Framework should not be implemented as an un-customized checklist or a one-size-fits-all approach for all critical infrastructure organizations.
Why should an organization use the Framework?
The Framework will help an organization to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to assure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity. By providing a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside the organization. That includes improving communications, awareness, and understanding between and among IT, planning, and operating units, as well as senior executives of organizations. Organizations also can readily use the Framework to communicate current or desired cybersecurity posture between a buyer or supplier.
When and how was the Framework developed?
Version 1.0 of the Framework was prepared by the National Institute of Standards and Technology (NIST) with extensive private sector input and issued in February 2014. The Framework was developed in response to Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, which was issued in 2013. Among other things, the EO directed NIST to work with industry leaders to develop the Framework. The Framework was developed in a year-long, collaborative process in which NIST served as a convener for industry, academia, and government stakeholders. That took place via workshops, extensive outreach and consultation, and a public comment process. NIST's future Framework role is reinforced by the Cybersecurity Enhancement Act of 2014 (Public Law 113-274), which calls on NIST to facilitate and support the development of voluntary, industry-led cybersecurity standards and best practices for critical infrastructure. This collaboration continues as NIST works with stakeholders from across the country and around the world to raise awareness and encourage use of the Framework. ….This collaboration continues as NIST works with stakeholders from across the country and around the world to raise awareness and encourage use of the Framework. The second draft update to V1.0 was released for public comment on December 5, 2017 as draft 2 of Framework version 1.1 and will be finalized after considering comments submitted before the January 19, 2018 deadline.
What is the purpose of Executive Order 13636?
Executive Order 13636 outlines responsibilities for Federal Departments and Agencies to aid in Improving Critical Infrastructure Cybersecurity. In summary, it assigns these responsibilities and establishes the policy that, "It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties."
Who from the private sector helped to develop the Framework?
More than 3,000 people from diverse parts of industry, academia, and government participated in the initial five workshops around the country. NIST received hundreds of detailed suggestions and comments in response to the initial request for information (RFI) and feedback on a public draft version of the Framework. Those regular workshops and public comments have continued, including feedback to NIST on the draft updates of the Framework and a related Roadmap.
Why is NIST involved? What is NIST's role in setting cybersecurity standards?
NIST is a federal agency within the United States Department of Commerce. NIST's mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. NIST is also responsible for establishing computer- and information technology-related standards and guidelines for federal agencies to use. Many private sector organizations have made widespread use of these standards and guidelines voluntarily for several decades, especially those related to information security.
What critical infrastructure does the Framework address?
Critical infrastructure (for the purposes of this Framework) is defined in Presidential Policy Directive (PPD) 21 as: "Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." Applicable infrastructure includes utilities providing energy and water as well as sectors covering transportation, financial services, communications, healthcare and public health, food and agriculture, chemical and other facilities, dams, key manufacturers, emergency services and several others.
Does the Framework apply only to critical infrastructure companies?
No. Although it was designed specifically for companies that are part of the U.S. critical infrastructure, many other organizations in the private and public sectors (including federal agencies) are using the Framework. NIST encourages any organization or sector to review and consider the Framework as a helpful tool in managing cybersecurity risks.
Does the Framework benefit organizations that view their cybersecurity programs as already mature?
The Framework can be used by organizations that already have extensive cybersecurity programs, as well as by those just beginning to think about putting cybersecurity management programs in place. The same general approach works for any organization, although the way in which they make use of the Framework will differ depending on their current state and priorities.
How is the Framework being used today?
Organizations are using the Framework in a variety of ways. Many have found it helpful in raising awareness and communicating with stakeholders within their organization, including executive leadership. The Framework is also improving communications across organizations, allowing cybersecurity expectations to be shared with business partners, suppliers, and among sectors. By mapping the Framework to current cybersecurity management approaches, organizations are learning and showing how they match up with the Framework's standards, guidelines, best practices. Some parties are using the Framework to reconcile and de-conflict internal policy with legislation, regulation, and industry best practice. The Framework also is being used as a strategic planning tool to assess risks and current practices.
What is the Framework Core and how is it used?
The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. An example of Framework outcome language is, "physical devices and systems within the organization are inventoried."
The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization's management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References, such as existing standards, guidelines, and practices for each Subcategory.
- What are Framework Profiles and how are they used?
A Framework Profile ("Profile") represents the cybersecurity outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a "Current" Profile (the "as is" state) with a "Target" Profile (the "to be" state). To develop a Profile, an organization can review all of the Categories and Subcategories and, based on business drivers and a risk assessment, determine which are most important. They can also add Categories and Subcategories as needed to address the organization's risks. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations.
- What are Framework Implementation Tiers and how are they used?
Framework Implementation Tiers ("Tiers") provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize an organization's practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. During the Tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.
- Are the Tiers equivalent to maturity levels?
The Framework Implementation Tiers are not intended to be maturity levels. The Tiers are intended to provide guidance to organizations on the interactions and coordination between cybersecurity risk management and operational risk management. The key tenet of the Tiers is to allow organizations to take stock of their current activities from an organization wide point of view and determine if the current integration of cybersecurity risk management practices is sufficient given their mission, regulatory requirements, and risk appetite. Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and would be cost-effective.
- What is the relationship between the Framework and NIST Roadmap for the Framework for Improving Critical Infrastructure Cybersecurity?
The companion Roadmap was initially released in February 2014 in unison with publication of the Framework version 1.0. The Roadmap discusses NIST's next steps with the Framework and identifies key areas of development, alignment, and collaboration. These plans are based on input and feedback received from stakeholders through the Framework development process. This list of high-priority areas is not intended to be exhaustive, but these are important areas identified by NIST and stakeholders that should inform future versions of the Framework. For that reason, the Roadmap will be updated over time in alignment with the most impactful stakeholder cybersecurity activities and the Framework itself.
What is the difference between 'using', 'adopting', and 'implementing' the Framework?
In a strict sense, these words are fairly interchangeable. They can mean an organization's use of the Framework as a part of its internal processes. NIST generally refers to "using" the Framework.
Would the Framework have prevented recent highly publicized attacks?
There are no "silver bullets" when it comes to cybersecurity and protecting an organization. For instance, "Zero-day" attacks exploiting previously unknown software vulnerabilities are especially problematic. However, using the Framework to assess and improve management of cybersecurity risks should put organizations in a much better position to identify, protect, detect, respond to, and recover from an attack, minimizing damage and impact.
Does the Framework address the cost and cost-effectiveness of cybersecurity risk management?
Yes. An organization can use the Framework to determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.
How does the Framework relate to information sharing?
The Framework provides guidance on how awareness of real and potential threats and vulnerabilities can be used to enhance an organization's cybersecurity program.
Can the Framework help managing risk for assets that are not under my direct management?
Yes. The Functions, Categories, and Subcategories of the Framework Core are expressed as outcomes and are applicable whether you are operating your own assets, or another party is operating assets as a service for you. For customized external services such as outsourcing engagements, the Framework can be used as the basis for due diligence with the service provider. For packaged services, the Framework can be used as a set of evaluation criteria for selecting amongst multiple providers.
Should the Framework be applied to and by the entire organization or just to the IT department?
The Framework provides guidance relevant for the entire organization. The full benefits of the Framework will not be realized if only the IT department uses it. The Framework balances comprehensive risk management, with a language that is adaptable to the audience at hand. More specifically, the Function, Category, and Subcategory levels of the Framework correspond well to organizational, mission/business, and IT and operational technology (OT)/industrial control system (ICS) systems level professionals. This enables accurate and meaningful communication, from the C-Suite to individual operating units and with supply chain partners. It can be especially helpful in improving communications and understanding between IT specialists, OT/ICS operators, and senior managers of the organization.
How can the Framework help an organization with external stakeholder communication?
The Framework can be used to communicate with external stakeholders such as suppliers, services providers, and system integrators. More specifically, the Framework Core is a language in which to communicate, while Framework Profiles can be used to express security requirements.
What is the role of senior executives and Board members?
The Framework can be used as an effective communication tool for senior stakeholders (CIO, CEO, Executive Board, etc.), especially as the importance of cybersecurity risk management receives elevated attention in C-suites and Board rooms. The Functions inside the Framework Core offer a high level view of cybersecurity activities and outcomes that could be used to provide context to senior stakeholders beyond current headlines in the cybersecurity community.
How can organizations measure the effectiveness of the Framework?
Framework effectiveness depends upon each organization's goal and approach in its use. Is the organization seeking an overall assessment of cybersecurity-related risks, policies, and processes? Is it seeking a specific outcome such as better management of cybersecurity with its suppliers or greater confidence in its assurances to customers? Effectiveness measures vary per use case and circumstance. Accordingly, the Framework leaves specific measurements to the user's discretion. Individual entities may develop quantitative metrics for use within that organization or its business partners, but there is no specific model recommended for measuring effectiveness of use.
How long does it take to implement the Framework?
Each organization's cybersecurity resources, capabilities, and needs are different. So the time to implement the Framework will vary among organizations, ranging from as short as a few weeks to several years. The Framework Core's hierarchical design enables organizations to apportion steps between current state and desired state in a way that is appropriate to their resources, capabilities, and needs. This allows organizations to develop a realistic action plan to achieve Framework outcomes in a reasonable time frame, and then build upon that success in subsequent activities.
Does the Framework require using any specific technologies or products?
No. It has been designed to be flexible enough so that users can make choices among products and services available in the marketplace. It encourages technological innovation by aiming for strong cybersecurity protection without being tied to specific offerings or current technology.
Is a conformity assessment program being planned?
NIST has no plans to develop a conformity assessment program. NIST encourages the private sector to determine its conformity needs, and then develop appropriate conformity assessment programs. NIST is able to discuss conformity assessment-related topics with interested parties.
Will my organization be regulated against gaps between my current regulation and Framework?
The Framework was created with the current regulatory environment in mind, and does not replace or augment any existing laws or regulations. The Framework leverages industry best practices and methods for cybersecurity risk management, which are often used in regulation.
Is there a way to find out how organizations have used the Framework, and is there a place to get guidance that would help others?
Early users of the Framework are beginning to produce case studies, implementation guides, and other resources. These resources are starting to be available through trade and professional associations. NIST is also listing those items at the Framework Web site on the Industry Resources web page, as we become aware of them.
What if Framework guidance or tools do not seem to exist for my sector or community?
The Framework is designed to be applicable to any organization in any part of the critical infrastructure or broader economy. Applications from one sector may work equally well in others. It is expected that many organizations face the same kinds of challenges. There are published case studies and guidance that can be leveraged, even if they are from different sectors or communities. Organizations can encourage associations to produce sector-specific Framework mappings and guidance and organize communities of interest. You may also find value in coordinating within your organization or with others in your sector or community.
Why did NIST create the Perspectives web pages?
The Perspectives web pages is meant to inform people’s decision to use Framework. The pages contain meaningful quotes that describe why Framework is important or recommend its use. Survey information that indicates usage is also provided.
Are there any case studies for Framework?
NIST knows of three case studies. Intel, the University of Pittsburg, and the University of Chicago case studies are all listed in our Resources pages.
Case studies are really important ways to explain why and how Framework is used within organizations. NIST encourages additional case studies to share best practices. For case study tips or templates, or to register additional case studies, please contact NIST at firstname.lastname@example.org.
Does it apply to small businesses?
Yes. The approach was developed for use by organizations that span the largest to the smallest organizations. See the Small Business Use section of this FAQ for more information.
Will NIST provide guidance for small businesses? Is there a starter kit or guide for organizations just getting started with cybersecurity?
NIST has a long-standing and on-going effort supporting small business cybersecurity. This is accomplished by providing guidance through publications, meetings, and events. Materials and an associated program description are available at the Computer Security Resource Center. NIST coordinates these activities with the Small Business Administration and the Federal Bureau of Investigation’s InfraGuard program.
Small businesses may find Small Business Information Security: The Fundamentals (NISTIR 7621 Rev. 1) a valuable publication for understanding important cybersecurity activities. It is recommended as a starter kit for small businesses. The publication is works in coordination with the Framework, because it is organized according to Framework Functions.
Are U.S. federal agencies required to apply the Framework to federal information systems?
Yes. On May 11, 2017, the President issued an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. In part, the order states that “Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order” and “describe the agency's action plan to implement the Framework.”
Can U.S. Federal agencies apply the Framework to Federal information systems?
Yes. The Framework can help agencies to integrate existing risk management and compliance efforts and structure consistent communication, both across teams and with leadership. It can be valuable in managing federal information and information systems according to the Risk Management Framework (RMF), implementing security controls detailed in SP 800-53 revision 4, and using the methodology outlined in SP 800-39.
How is NIST integrating Cybersecurity Framework into the cybersecurity risk management practices of federal agencies?
NIST is updating its suite of cybersecurity and privacy risk management publications (e.g. SP 800-37 – Guide for Applying the Risk Management Framework to Federal Information Systems) to provide additional guidance on how to integrate implementation of the Framework. Similarly, the larger suite of NIST security and privacy risk management publications will be updated in consideration of NIST IR 8170 feedback and general Framework value.
Why did NIST author Interagency Publication 8170?
Federal agencies are now required by a May 2017, Executive Order to apply the Framework to federal information systems. (See Section 1(c)(ii) of the Order.) The Framework can help agencies to integrate existing risk management and compliance efforts and to structure consistent communication, both across teams and with leadership. NIST is revising a draft NIST Interagency Report 8170: The Cybersecurity Framework: Implementation Guidance for Federal Agencies to provide federal agencies with guidance on how the Cybersecurity Framework can help agencies to complement those existing risk management practices and improve their cybersecurity risk management programs. The draft report summarizes eight private sector uses of Framework, which may also be useful for federal agencies.
What is the relationship between the Framework and NIST's Managing Information Security Risk: Organization, Mission, and Information System View (Special Publication 800-39)?
The Framework uses risk management processes to enable organizations to inform and prioritize cybersecurity decisions. It can be adapted to provide a flexible, risk-based implementation that can be used with a broad array of risk management processes, including, for example, SP 800-39. SP 800-39 describes the risk management process employed by federal organizations, and optionally employed by private sector organizations. The process is composed of four distinct steps: Frame, Assess, Respond, and Monitor. SP 800-39 further enumerates three distinct organizational Tiers at the Organizational, Mission/Business, and System level, and risk management roles and responsibilities within those Tiers. Organizations using the Framework may leverage SP 800-39 to implement the high-level risk management concepts outlined in the Framework. Within the SP 800-39 process, the Cybersecurity Framework provides a language for communicating and organizing. Further, Framework Profiles can be used to express risk disposition, capture risk assessment information, analyze gaps, and organize remediation.
What is the relationship between the Framework and NIST's Guide for Applying the Risk Management Framework to Federal Information Systems (SP 800-37)?
Federal agencies manage information and information systems according to the Federal Information Security Management Act of 2002 (FISMA) and a suite of related standards and guidelines. Perhaps the most central FISMA guideline is NIST Special Publication (SP) 800-37 – Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, which details the Risk Management Framework (RMF). The RMF six-step process provides a method of coordinating the inter-related FISMA standards and guidelines to ensure systems are provisioned, assessed, and managed with appropriate security.
To further assist federal agencies with integrating the Cybersecurity Framework and the Risk Management Framework, NIST issued a discussion draft of Special Publication 800-37, Revision 2 – Risk Management Framework for Information Systems and Organizations, which includes incorporation of key Cybersecurity Framework, privacy risk management and systems security engineering concepts. NIST held an open workshop for additional stakeholder engagement and feedback on the discussion draft of the Risk Management Framework, including its consideration of Cybersecurity Framework.
The draft NIST Interagency Report 8170: The Cybersecurity Framework: Implementation Guidance for Federal Agencies identifies three possible uses of Cybersecurity Framework in support the RMF processes: “Maintain a Comprehensive Understanding of Cybersecurity Risk,” Report Cybersecurity Risks,” and “Inform the Tailoring Process.” Maintain a Comprehensive Understanding of Cybersecurity Risk suggests Cybersecurity Framework might be used as a way to track aggregate risk across all System Authorization Packages, supporting RMF Authorize activities and decisions. Report Cybersecurity Risks describes how Cybersecurity Framework might be used to report the on-going risk of system(s), as observed during RMF Monitor activities. Finally, Inform the Tailoring Process shows how requirements managed through Cybersecurity Framework might be used to adjust an initial controls baseline to a final controls baseline.
- What type of NIST publication is The Framework for Improving Critical Infrastructure Cybersecurity?
Given the broad applicability of the Cybersecurity Framework and the requirement for neutral authorities for what is primarily a voluntary guidance, the document was published as, and remains, a white paper. It is not an Interagency Report, Special Publication, or Federal Information Processing Standard.
What is the relationship between the Framework and the DHS Critical Infrastructure Cyber Community (C3) Voluntary Program?
EO 13636 directed the National Institute of Standards and Technology to work with industry to develop a framework for reducing cybersecurity risks. The EO also charged the Department of Homeland Security with developing a voluntary program to promote use of the Framework and help critical infrastructure organizations improve their cybersecurity. In February 2014, DHS launched the Critical Infrastructure Cyber Community (C3, pronounced "C-Cubed") Voluntary Program. The C3 Voluntary Program helps align critical infrastructure owners and operators with existing resources to assist in their efforts to use the Framework and manage their cybersecurity risks. More information about the C3 Voluntary Program may be found on the DHS Web site.
What is the relationship between the Framework and the DHS Cyber Resilience Review?
A description of the relationship between the DHS Cyber Resilience Review (CRR) and the Cybersecurity Framework can be found at the DHS Web site.
Is the Framework being aligned with international cybersecurity initiatives and standards?
While the Framework was born through U.S. policy, it is not a "U.S. only" Framework. Private sector stakeholders made it clear from the outset that global alignment is important to avoid confusion and duplication of effort, or even conflicting expectations in the global business environment. These needs have been reiterated by multi-national organizations. The importance of international standards organizations and trade associations for acceptance of the Framework's approach has been widely recognized. Some countries and international entities are adopting approaches that are compatible with the framework established by NIST, and others are considering doing the same. NIST has been holding regular discussions with many nations and regions, and making noteworthy internationalization progress. NIST is actively engaged with international standards-developing organizations to promote adoption of approaches consistent with the Framework.
What is the relationship between the Framework and NIST's Cyber-Physical Systems (CPS) Framework?
The Cybersecurity Framework provides the underlying cybersecurity risk management principles that support the new Cyber-Physical Systems (CPS) Framework. The CPS Framework document is intended to help manufacturers create new CPS that can work seamlessly with other smart systems that bridge the physical and computational worlds.
The CPS Framework ( https://pages.nist.gov/cpspwg/) includes a structure and analysis methodology for CPS. The goal of the CPS Framework is to develop a shared understanding of CPS, its foundational concepts and unique dimensions, promoting progress through the exchange of ideas and integration of research across sectors and to support development of CPS with new functionalities.
What is the relationships between Internet of Things (IoT) and Framework? Do we need an ‘IoT Framework?’
Cybersecurity Framework is applicable to many different technologies, including Internet of Things (IoT) technologies. Developing separate frameworks of cybersecurity outcomes specific to IoT might risk losing a critical mass of users aligning their cybersecurity outcomes to Cybersecurity Framework. To retain that alignment, NIST recommends continued evaluation and evolution of the Cybersecurity Framework to make it even more meaningful to IoT technologies. NIST welcomes observations from all parties regarding Cybersecurity Framework’s relevance to IoT, and will vet those observations with the NIST Cybersecurity for IoT Program.
What is the relationship between the Framework and the Baldrige Cybersecurity Excellence Builder?
The Baldrige Cybersecurity Excellence Builder blends the systems perspective and business practices of the Baldrige Excellence Framework with the concepts of the Cybersecurity Framework. More specifically, the Cybersecurity Framework aligns organizational objectives, strategy, and policy landscapes into a cohesive cybersecurity program that easily integrates with organizational enterprise risk governance. These Cybersecurity Framework objectives are significantly advanced by the addition of the time-tested and trusted systems perspective and business practices of the Baldrige Excellence Framework. The builder responds to requests from many organizations to provide a way for them to measure how effectively they are managing cybersecurity risk.
Will the Framework be updated?
Yes, the Framework was always meant to be a “living document,” and will be updated to keep pace with technology and threat trends, integrate lessons learned, and establish best practice as common practice. For those reasons, the Framework will be refined, improved, and evolved over time. The development of proposed updates and finalization of those updates into new versions of the Framework is and will be done in coordination with our stakeholders and in consultation with the parties outlined in the Cybersecurity Enhancement Act of 2014
Why is NIST proposing to revise the Cybersecurity Framework now?
Generally, feedback from the December 2015 RFI indicated Cybersecurity Framework (the Framework) stakeholders are ready for some refinement and clarification in the form of an update. NIST has expressed the notion of periodic updates since Framework development work began in February 2013. NIST is proceeding with an update per our roleThe Cybersecurity Enhancement Act of 2014 (Public Law 113-274) calls on NIST to facilitate and support the development of voluntary, industry-led cybersecurity standards and best practices for critical infrastructure. Framework updates have been expressed as a normal modus operandi since NIST began working on the Framework in February 2013.
How did NIST determine features for this update?
Framework stakeholders provided initial feedback to NIST through: a December 2015 Request for Information, lessons learned from Framework use, shared resources from industry partners, and an April 2016 Cybersecurity Framework workshop. When Version 1.1 Draft 1 was issued on January 10, 2017, NIST solicited comments and held a workshop in May 2017 to review and discuss those and other comments. NIST also considered feedback received through meetings and events since the release of Framework Version 1.0, as well as advances made in areas identified in the Roadmap issued in February 2014 when the Framework was initially published.
What changes are included in the proposed revision?
The second draft revision Version 1.1:
- Declares applicability of the Framework for "technology," which is minimally composed of information technology, operational technology, cyber-physical systems, and Internet of Things,
- Enhances guidance for applying the Framework to supply chain risk management,
- Summarizes the relevance and utility of Framework measurement for organizational self-assessment,
- Better accounts for authorization, authentication, and identity proofing, and
- Administratively updates the Informative References.
The supply chain, measurement, and identity changes in this most recent draft further modify text in the first draft revision, which also clarified use of Implementation Tiers and their relationship to Profiles.
Were there changes proposed to the Framework in light of progress made in areas identified in the 2014 Roadmap?
Yes. The most notable changes are related to Supply Chain Risk Management, where multiple provisions have been added, including a new category in the Framework Core and a new property within Implementation Tiers. Additional provisions related to identity management and access control have been included in the proposed update. Also, statements about Federal agency Framework are included in the proposed update. Informative References also have been updated, reflecting the advancement of standards and guidelines by private and public sector organizations.
What does this mean for organizations that already have incorporated the current Framework?
The Framework update (V1.1) is intended to be fully compatible with V1.0. Either version may be used. NIST recommends that organizations incorporate the additional content and functionality of V1.1 once it is finalized, but decision and timing are up to the individual organization. This is a voluntary framework.
Should organizations use the latest, draft version or should they wait until it is finalized?
Each organization should review the proposed changes and decide if there are provisions that will benefit them right away, or whether they should wait until changes are final. At a minimum, every organization is encouraged to review the proposed update. NIST encourages reviewers to comment on this draft update. It is noteworthy that stakeholder opinion on the proposed updates in the comment period (open through 10 April 2017) and at the upcoming workshop (May 2017, dates TBD) stands to significantly shape Version 1.1 of Framework. There could be substantive changes between the draft and final versions.
Will comments provided to NIST be made public, and when will the changes become final? Will there be a public forum for discussion of these proposed changes?
Using the Cybersecurity Framework website, NIST will publish all comments received in response to the January 25, 2017, Federal Register notice. NIST anticipates publishing a final V1.1 in the fall of 2017 after considering all comments received. NIST is planning a mid-late May 2017 workshop to discuss comments about the proposed update. That workshop also will explore user experiences and Framework-related areas that continue to need greater attention by the private and public sectors.
What assistance will NIST provide to organizations that choose to incorporate the additional content and functionality of the new version of the Framework?
NIST will continue to educate organizations through both NIST-hosted and other events. NIST will regularly update its web-based FAQs, presentations, and Industry Resources page that offers information about how organizations are using or citing the Framework. NIST also will continue to respond to questions it receives at: email@example.com.
Once this updated version is finalized, how often will NIST update the Framework?
Decisions about the timing of updates will be made based on user experiences, technological advances, and standards innovations. Updates similar to the current proposal will likely occur no more frequently than every other year.
What are Informative References?
Informative References (“References”) show relationships between Framework Functions, Categories, and Subcategories and specific sections of standards, guidelines, and practices common among Framework stakeholders. Informative References illustrate ways to achieve Framework outcomes. For instance, it may be possible to achieve the outcome “data-at-rest is protected” from the Framework Protect, Data Security, Subcategory 1 (PR.DS-1) using Media Protection Policy and Procedures Control 8 (MP-8) and System and Communications Protection Policy and Procedures Controls 12 and 28 (SC-12 and SC-28) from Special Publication 800-53 revision 4.
What are online Informative References (OLIR)?
OLIR is a NIST program serving two functions: a.) to provide a process for stakeholders to create, submit, and publish (on line),References to the Framework and b.) for consumers of these References to use, apply, and comment on the published cross references.
Why were online Informative References necessary?
Historically, a smaller subset of References were published in the Framework document. The online environment provides a more agile support model to account for the varying update cycles of all Reference documents. OLIR allows for the Framework community to keep information current on relationship assertions to the Framework. OLIR is also scalable to accommodate a large number of References, whereas the Framework document might become less consumable with a similar number of References.
Where can I comment, and provide feedback about the Online Informative Reference Program?
NIST welcomes feedback to firstname.lastname@example.org.
What is the difference between a Reference and a Reference Document?
A Reference Document is the cybersecurity document that is being related to the Framework (e.g., ISO 27001, SP800-54 Revision 4, etc.). A Reference is a separate work product that shows multiple relationships between specific Reference elements and Framework elements.
What is an element?
An element is a section, subsection, paragraph, or sentence within a document. For instance, individual security controls in NIST Special Publication 800-53 might be considered elements. Similarly, control enhancements might be considered elements. Optimally, each element has a unique identifier that can be used to easily define relationships. In Framework, the 5 Functions, 22 Categories, and 98 Subcategories are all discrete elements with unique identifiers.
What general types of relationships might be defined in a Reference?
It is possible for a given Reference to define relationships at the Function, Category, and Subcategory level of Framework (i.e., differing levels of abstraction). These types of relationships are annotated in a Reference by displaying Reference Document element(s) on the same row as a Function, Category, or Subcategory.
Relationships of one element in a Reference Document to one element in Framework are called one-to-one relationships. One-to-one relationships are annotated in a Reference by displaying one Framework Function, Category, or Subcategory on a single row with one Reference Document element.
It is more typical that many elements from a Reference Document relate to an individual Framework element (i.e., many-to-many relationship). Similarly, it is possible that many Framework elements relate to a given element of a Reference Document. Many-to-one relationships are annotated in a Reference document by displaying one Framework Function, Category, or Subcategory on multiple rows with multiple Reference Document elements (one Reference Document element per row).
What are the five options in the Relationships column of the Reference spreadsheet?
To maximize the value of References, NIST has provided a more specific vocabulary to define relationships between Framework and Reference Document elements. These options are in addition to relationships of one-to-one, many-to-one, and varying levels of abstraction. They are:
Subset of – Occurs when Reference Document element entirely fulfills Framework element, but Framework element does not entirely fulfill Reference Document element.
Intersects with – Occurs when Reference Document element partially fulfills Framework element, and Framework element partially fulfills Reference Document element.
Equivalent to – Occurs when Reference Document element entirely fulfills Framework element, and Framework element entirely fulfills Reference Document element.
Superset of – Occurs when Framework element entirely fulfills Reference Document element, but Reference Document element does not entirely fulfill Framework element.
Not related to – Occurs when Framework element do not fulfill Reference Document element, and Reference Document element does not fulfill Framework element.
Reference authors must annotate each Framework-Reference Document element pair with one, and only one, of these relationships.
Are References publicly available?
Yes. Once the submitting organization has refined the Reference to NIST’s specification and submitted it for public review, the References become publicly available through the OLIR site and as hosted on the Internet by the Reference submitting organizations.
Who can author and submit References?
Anyone can author and submit References. The NIST process for accepting, vetting, and linking to these stakeholder submission is described at the OLIR Submitters Page.
If more than one Reference is submitted for a single Reference Document, which one should I use?
The OLIR site is meant to be a community catalog. However, the References themselves come with no guarantees or endorsements from NIST. Therefore, it is incumbent on the consumer of References to do its due diligence when making business/security decisions for Framework implementation. The implementing party may give preference to References that are authored by the same organization that authored the Reference Document (a.k.a. an “authoritative” Reference).
What if I disagree with an Reference assertion, can I provide feedback?
Please provide feedback regarding References at email@example.com.
Are Federal agencies and government contractors required to use the Framework References?
While Federal agencies are required to use the Framework through Executive Order 13800, use of References is at the discretion of each agency according to their unique risk and resourcing contexts.
How should federal agencies use the Framework References?
The mapping and pending Reference of SP 800-53 controls to Framework provides a basis for two important dimensions of FISMA fulfillment. Firstly, the SP 800-53-Framework Reference provides a means to “roll up” reporting from the control level to a less granular reporting structure. This may be helpful in providing executive views of risk and in any representations of risk to parties outside of a given federal agency. Secondly, the SP 800-53-Framework structure may enable additional and more seamless “Organizational Inputs” into control selection, implementation, and management. Both of these proposed uses of Framework for federal agencies are detailed in the draft NIST IR 8170 -The Cybersecurity Framework: Implementation Guidance for Federal Agencies.
In addition, agencies may elect to or need to manage and measure cybersecurity using means other than NIST guidance. An example would be the use of ISO 27001 within a federal setting. In this circumstance, the Framework offers agencies a structure to align SP 800-53 controls and ISO 27001 guidance into a singular cybersecurity program management construct. The Reference documents provide a foundation to bring these documents together.
How can I ensure resources or case studies my organization has released publicly are visible for others to use?
Share them with NIST via email (firstname.lastname@example.org(link sends e-mail)), sector organizations (where applicable), trade and professional associations, and post information on your organization's website.
Who can answer additional questions regarding Framework?
Review the NIST Cybersecurity Framework web page for more information, contact NIST via email (email@example.com(link sends e-mail)), and check with sector or relevant trade and professional associations.
How do I sign up for the mailing list to receive updates on the NIST Cybersecurity Framework?
To receive updates on the NIST Cybersecurity Framework, you will need to sign up for NIST E-mail alerts. The sign-up box is located at the bottom-right hand side on each Cybersecurity Framework-based web page, or on the left-hand side of other NIST pages. Once you enter your email address and select a password, you can then select "Cybersecurity Framework" under the "Subscription Topics" to begin receiving updates on the Framework. If you see any other topics or organizations that interest you, please feel free to select those as well. You may change your subscription settings or unsubscribe at anytime.
Participation in NIST Workshops, RFI responses, and public comment periods for work products are excellent ways to influence NIST Cybersecurity Framework documents. Less formal but just as meaningful, as you have observations and thoughts for improvement, please send those to firstname.lastname@example.org. We value all contributions through these processes, and our work products are stronger as a result.
Participation in the larger Cybersecurity Framework ecosystem is also very important. NIST's vision is that various sectors, industries, and communities customize Cybersecurity Framework for their use. Customization efforts include:
- cross-walking key legislation and regulation to the Cybersecurity Framework (e.g., Health and Human Services' HIPPA Security Rule Crosswalk to NIST Cybersecurity Framework),
- developing Profiles that reflect business/mission priorities of a given stakeholder group (e.g., Federal Communications Commission (FCC) Communications, Security, Reliability and Interoperability Council's (CSRIC)Cybersecurity Risk Management and Best Practices Working Group 4: Final Report),
- publishing case studies on Cybersecurity Framework implementation (e.g., An Intel Use Case for the Cybersecurity Framework in Action)
If you develop similar resources, NIST is happy to consider them for inclusion in the Industry Resources page.
Thank you very much for your offer to help. Please keep us posted on your ideas and work products.