The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber-attacks. The framework has been translated to many languages and is used by the governments of Japan and Israel, among others. It “provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes.” Version 1.0 was published by the US National Institute of Standards and Technology in 2014, originally aimed at operators of critical infrastructure. It is being used by a wide range of businesses and organizations and helps shift organizations to be proactive about risk management. In 2017, a draft version of the framework, version 1.1, was circulated for public comment. Version 1.1 was announced and made publicly available on April 16, 2018. Version 1.1 is still compatible with version 1.0. The changes include guidance on how to perform self-assessments, additional detail on supply chain risk management and guidance on how to interact with supply chain stakeholders.

Customer Benefits

The NIST framework provides for guidelines designed to be inclusive of, and not inconsistent with, other standards and best practices. Some of the benefits are:

a set of standards, methodologies, procedures, and processes that align policy, business, and technical approaches to address cyber risks
a prioritized, flexible, repeatable, performance-based, and cost-effective approach to help owners and operators of critical infrastructure:
identify, assess, and manage cyber risk
identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations
be consistent with voluntary international standards.


Assessment and Auditing based on the NIST framework


Components of the Framework
Informative References
The Five Functions of NIST
Framework Roadmap