Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //


07:00 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli

5 Years of the NIST Cybersecurity Framework

With NIST celebrating the five-year anniversary of its widely adopted and recommended Cybersecurity Framework just last month, a look back over the years illustrates how far the Framework has come.

Last month, the NIST Cybersecurity Framework celebrated its five-year anniversary.

In February 2013, then-President Barack Obama ordered the National Institute of Science and Technology (NIST) to develop a voluntary framework for cybersecurity.

"The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk," dictates the pursuant executive order.

Twelve months later, NIST released the original version of the NIST Cybersecurity Framework, then titled "Framework for Improving Critical Infrastructure Security."

Beyond critical infrastructureIndeed, the executive order mandating the creation of the Framework specified that the Framework be developed "to reduce cyber risks to critical infrastructure" -- but the Framework has evolved substantially since then. It has been adopted far beyond the realm of critical infrastructure, across myriad industries -- particularly as cyber-insurance carriers have all but required clients to follow the Framework as a condition of coverage. The year after NIST released its Framework, Gartner reported that it was then already in use in more than 30% of US organizations.

"Since its initial release in February 2014, we've seen extensive use of the Framework by diverse companies, sectors, governments, and other organizations," Kevin Stine, chief of the Applied Cybersecurity Division in NIST's Information Technology Lab, told Security Now. "Because the Framework offers a flexible approach that is anchored in the principle of risk management, it can be extended and interpreted to meet the business objectives of an organization -- whatever its priorities."

What's more, NIST has seen its Framework extend its guidance beyond US borders. The agency reports that several other sovereignties -- including Bermuda, Israel, Italy and Japan -- have adopted their own adaptations of the Framework.

Back in the US, the Framework, although voluntary, has taken the effect of "pseudo-law" in some cases. Federal regulatory agencies -- notably including the FTC as well as numerous bodies regulating the financial sector -- have held those it investigates to the Framework's standards when determining data-protection adequacy. Other agencies have made Framework compliance mandatory for their government contractors.

"For financial services companies, the NIST Framework seems to restate many best practices that financial services companies adhere to in their general risk management programs," Sean Mahoney, Northern Bank's General Counsel, told Security Now. "For companies in other industries, the framework is designed to address a cybersecurity program at various states of maturity."

Making security frameworks accessibleTo this end, the heart of the Framework relies on identifying, defining and tying international standards to each of five cyclical functions:

  • Identify [threats],
  • Protect [against threats],
  • Detect [intrusions/incidents],
  • Respond [to incidents], and
  • Recover [from incidents].

In this respect, the Framework is both an aggregator of several widely accepted best practices and a translator to allow for better, Framework-tied communication between the IT elite and lay decision-makers in the organization. To better aid in this, NIST has worked on making the Framework more accessible to organizations of all types and sizes through additional documentation, as well as direct engagement with the private sector and NGOs.

Small businesses, in particular, have drawn special attention because of their special needs. In November 2016, NIST released a guide for small businesses on using principles from the Framework to improve their cybersecurity. More recently, this very month, NIST announced that its "Small Business Cybersecurity Corner" had gone live online as an additional resource to organizations wading their way through cyber-risk management.

"NIST is committed to an open and transparent private-public partnership," said Stine. "NIST has continuously worked with all stakeholders to understand current and future challenges in the cybersecurity space through requests for information, workshops and other engagement methods."

Framework updatesAbout four months ago, for instance, NIST held a workshop on managing cybersecurity risk as, in Stine's words, "an opportunity for NIST to hear from industry [and] academia, as well as national and international collaborators, on current challenges and opportunities in the space." According to Stine, the discussion from this workshop will inform updates to further NIST guidance related to the Framework. And, to be clear, NIST and its spokespeople (including Stine in his recent comments to Security Now) have long made clear that the Framework represents "a living document" that must adjust to the ever-changing world of cyber threats and risk mitigations.

Even so, the Framework -- particularly with its first actual update (dubbed "version 1.1") last year -- seems to have withstood the test of time as a superior option even to many security frameworks developed in house. (See Digital Transformation With IoT: Assessing Risk Through Standards & Visibility.)

"This update included increased treatment of supply-chain risk management, authentication, coordinated vulnerability disclosure, and other concepts in the Framework Core," elaborated Stine. "Additionally, the Framework Implementation Tiers were enhanced to provide more guidance to organizations in the execution of a cybersecurity risk management program."

Related posts:

—Joe Stanganelli is managing director at research and consulting firm Blackwood King LC. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.