NIST Cybersecurity Framework: Five years later

Five years after the release of the Framework for Improving Critical Infrastructure Cybersecurity, organizations across all sectors of the economy are creatively deploying this voluntary approach to better management of cybersecurity-related risks.

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) issued what is now widely known simply as the “NIST Cybersecurity Framework” on February 12, 2014. Its development was the result of a year-long collaborative process involving hundreds of organizations and individuals from industry, academia and government agencies.

“Although the Cybersecurity Framework was developed initially with a focus on our critical infrastructure, such as transportation and the electric power grid, today it is having a much broader, positive impact in this country and around the world,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan.

“NIST is committed to ensuring that even more organizations, especially smaller companies, know about and are able to use the Cybersecurity Framework to help strengthen the security of their systems, operations and data, and to make wise, cost-effective choices to mitigate cybersecurity and privacy risks,” said Copan.

Interest in using the Cybersecurity Framework is picking up speed. The framework’s first update, Version 1.1 released in April 2018, has been downloaded more than 267,000 times. Overall, the framework has been downloaded more than half a million time since its initial publication in 2014.

Although its use is voluntary for the private sector, it became mandatory for all U.S. federal agencies through a 2017 Presidential executive order.

The Cybersecurity Framework has been translated into Hebrew, Italian, Japanese and most recently, Spanish. Portuguese and Arabic translations are expected soon. Multiple countries reference or draw upon the framework in their own approaches. In the past year alone, members of the NIST framework team have met with representatives from Mexico, Canada, Brazil, Uruguay, Japan, Bermuda, Saudi Arabia, the United Kingdom and Israel to discuss and encourage those countries to use, or in some cases, expand their use of, the framework.

“NIST continues to improve the information about and accessibility to the Cybersecurity Framework,” said Kevin Stine, chief of the Applied Cybersecurity Division at NIST. He said that over the past year, NIST has launched a catalog of online learning modules and made available success stories that describe how various organizations are using the framework and include lessons learned.