The NIST Cybersecurity Framework

The NIST Cybersecurity Framework

Gregory B. White (CIAS, The University of Texas at San Antonio, USA) and Natalie Sjelin (CIAS, The University of Texas at San Antonio, USA)
Copyright: © 2022 |Pages: 17
DOI: 10.4018/978-1-6684-3698-1.ch003
OnDemand PDF Download:
No Current Special Offers


With the increase in cybercrimes over the last few years, a growing realization for the need for cybersecurity has begun to be recognized by the nation. Unfortunately, being aware that cybersecurity is something you need to worry about and knowing what steps to take are two different things entirely. In the United States, the National Institute of Standards and Technology (NIST) developed the Cyber Security Framework (CSF) to assist critical infrastructures in determining what they need in order to secure their computer systems and networks. While aimed at organizations, much of the guidance provided by the CSF, especially the basic functions it identifies, are also valuable for communities attempting to put together a community cybersecurity program.
Chapter Preview


Since the 1990’s, the federal government has been keenly aware of the dangers cyber events posed to the various critical infrastructures and thus focused considerable attention on securing these infrastructures. PDD 63 issued in 1998 and discussed earlier in the text was a big step forward in organizing the efforts of the various critical infrastructure sectors so that they could collectively work together to solve the challenges they each faced. Then in 2013 the White House issued Executive Order 13636 (2013) Improving Critical Infrastructure Cybersecurity which continued the focus on the critical infrastructures and attempted to keep things moving in a direction that would lead to more secure infrastructures. Besides addressing information sharing as was discussed in a previous chapter, EO 13636 also directed NIST to “lead the development of a framework to reduce cyber risks to critical infrastructure.”

In 2014 the Cybersecurity Enhancement Act (CEA) of 2014 was signed into law. One of the things that this act did was to expand the role of NIST to “identify a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks”. (CEA, 2014) This in essence expanded upon the previous guidance in EO 13636 provided additional guidance to NIST for the creation of a framework.

In 2014 NIST released version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity. In 2016 revision 1 of the Small Business Information Security: The Fundamentals document was released which incorporated much of the basic framework from the CSF but made it more useable for small businesses. In 2017 a draft of CSF version 1.1 was released for public comment and in April of 2018 version 1.1 was officially released. This new version was compatible with the original in that it did not change the basic framework but instead expanded upon it to take into account things outside of the critical infrastructures such as their supply chains.

Complete Chapter List

Search this Book: