NIST Cyber Security Framework

The NIST Cyber Security Framework was created through collaboration between industry and government, the Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cyber-security-related risk.

The Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cyber-security risk.  In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications among both internal and external organizational stakeholders.

nist cyber security framework

NIST Cyber Security Framework and RISK

The Framework will help an organization to better understand, manage, and reduce its cybersecurity risks.  It will assist in determining which activities are most important to assure critical operations and service delivery.  In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity.  By providing a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside the organization. That includes improving communications, awareness, and understanding between and among IT, planning, and operating units, as well as senior executives of organizations.  Organizations also can readily use the Framework to communicate current or desired cyber-security posture between a buyer or supplier.

Executive Order Improving Critical Infrastructure Cyber Security

The Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure.  Executive Order — Improving Critical Infrastructure Cybersecurity 

Executive Order 13636 outlines responsibilities for Federal Departments and Agencies to aid in Improving Critical Infrastructure Cybersecurity.  In summary, it assigns these responsibilities and establishes the policy that, “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”