Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //


07:00 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli

5 Years of the NIST Cybersecurity Framework

With NIST celebrating the five-year anniversary of its widely adopted and recommended Cybersecurity Framework just last month, a look back over the years illustrates how far the Framework has come.

Last month, the NIST Cybersecurity Framework celebrated its five-year anniversary.

In February 2013, then-President Barack Obama ordered the National Institute of Science and Technology (NIST) to develop a voluntary framework for cybersecurity.

"The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk," dictates the pursuant executive order.

Twelve months later, NIST released the original version of the NIST Cybersecurity Framework, then titled "Framework for Improving Critical Infrastructure Security."

Beyond critical infrastructureIndeed, the executive order mandating the creation of the Framework specified that the Framework be developed "to reduce cyber risks to critical infrastructure" -- but the Framework has evolved substantially since then. It has been adopted far beyond the realm of critical infrastructure, across myriad industries -- particularly as cyber-insurance carriers have all but required clients to follow the Framework as a condition of coverage. The year after NIST released its Framework, Gartner reported that it was then already in use in more than 30% of US organizations.

"Since its initial release in February 2014, we've seen extensive use of the Framework by diverse companies, sectors, governments, and other organizations," Kevin Stine, chief of the Applied Cybersecurity Division in NIST's Information Technology Lab, told Security Now. "Because the Framework offers a flexible approach that is anchored in the principle of risk management, it can be extended and interpreted to meet the business objectives of an organization -- whatever its priorities."

What's more, NIST has seen its Framework extend its guidance beyond US borders. The agency reports that several other sovereignties -- including Bermuda, Israel, Italy and Japan -- have adopted their own adaptations of the Framework.

Back in the US, the Framework, although voluntary, has taken the effect of "pseudo-law" in some cases. Federal regulatory agencies -- notably including the FTC as well as numerous bodies regulating the financial sector -- have held those it investigates to the Framework's standards when determining data-protection adequacy. Other agencies have made Framework compliance mandatory for their government contractors.

"For financial services companies, the NIST Framework seems to restate many best practices that financial services companies adhere to in their general risk management programs," Sean Mahoney, Northern Bank's General Counsel, told Security Now. "For companies in other industries, the framework is designed to address a cybersecurity program at various states of maturity."

Making security frameworks accessibleTo this end, the heart of the Framework relies on identifying, defining and tying international standards to each of five cyclical functions:

  • Identify [threats],
  • Protect [against threats],
  • Detect [intrusions/incidents],
  • Respond [to incidents], and
  • Recover [from incidents].

In this respect, the Framework is both an aggregator of several widely accepted best practices and a translator to allow for better, Framework-tied communication between the IT elite and lay decision-makers in the organization. To better aid in this, NIST has worked on making the Framework more accessible to organizations of all types and sizes through additional documentation, as well as direct engagement with the private sector and NGOs.

Small businesses, in particular, have drawn special attention because of their special needs. In November 2016, NIST released a guide for small businesses on using principles from the Framework to improve their cybersecurity. More recently, this very month, NIST announced that its "Small Business Cybersecurity Corner" had gone live online as an additional resource to organizations wading their way through cyber-risk management.

"NIST is committed to an open and transparent private-public partnership," said Stine. "NIST has continuously worked with all stakeholders to understand current and future challenges in the cybersecurity space through requests for information, workshops and other engagement methods."

Framework updatesAbout four months ago, for instance, NIST held a workshop on managing cybersecurity risk as, in Stine's words, "an opportunity for NIST to hear from industry [and] academia, as well as national and international collaborators, on current challenges and opportunities in the space." According to Stine, the discussion from this workshop will inform updates to further NIST guidance related to the Framework. And, to be clear, NIST and its spokespeople (including Stine in his recent comments to Security Now) have long made clear that the Framework represents "a living document" that must adjust to the ever-changing world of cyber threats and risk mitigations.

Even so, the Framework -- particularly with its first actual update (dubbed "version 1.1") last year -- seems to have withstood the test of time as a superior option even to many security frameworks developed in house. (See Digital Transformation With IoT: Assessing Risk Through Standards & Visibility.)

"This update included increased treatment of supply-chain risk management, authentication, coordinated vulnerability disclosure, and other concepts in the Framework Core," elaborated Stine. "Additionally, the Framework Implementation Tiers were enhanced to provide more guidance to organizations in the execution of a cybersecurity risk management program."

Related posts:

—Joe Stanganelli is managing director at research and consulting firm Blackwood King LC. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...