NIST-Cybersecurity Framework (CSF)

More than ever, organizations must balance a rapidly evolving cyber threat landscape against the need to fulfill business requirements. To help these organizations manage their cybersecurity risk, NIST convened stakeholders to develop a Cybersecurity Framework that addresses threats and supports business. While the primary stakeholders of the Framework are U.S. private-sector owners and operators of critical infrastructure, its user base has grown to include communities and organizations across the globe.

The Framework integrates industry standards and best practices to help organizations manage their cybersecurity risks. It provides a common language that allows staff at all levels within an organization—and at all points in a supply chain—to develop a shared understanding of their cybersecurity risks. NIST worked with private-sector and government experts to create the Framework, which was released in early 2014. The effort went so well that Congress ratified it as a NIST responsibility in the Cybersecurity Enhancement Act of 2014.

The Framework not only helps organizations understand their cybersecurity risks (threats, vulnerabilities and impacts), but how to reduce these risks with customized measures. The Framework also helps them respond to and recover from cybersecurity incidents, prompting them to analyze root causes and consider how they can make improvements. Companies from around the world have embraced the use of the Framework, including JP Morgan Chase, Microsoft, Boeing, Intel, Bank of England, Nippon Telegraph and Telephone Corporation, and the Ontario Energy Board.

NIST continues to promote awareness of the Framework and its implementation in domestic and international markets. NIST also continues to work with industry and other stakeholders to ensure that updates to the Framework maintain its relevance and utility for a broad range of organizations.