Booz Allen Hamilton

The NIST Cybersecurity Framework

A Legal Update discussing the purpose and scope of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity.

In February 2014, the National Institute of Standards and Technology (NIST) released its Framework for Improving Critical Infrastructure Cybersecurity pursuant to President Obama's Executive Order 13636 for improving critical infrastructure cybersecurity. The Framework includes recommended practices for organizations within "critical infrastructure" industries. While using the Framework is voluntary, the Department of Homeland Security has defined 16 critical infrastructure industries that collectively cover virtually every US business.

The Framework aims to, among other things:

  • Provide a common, plain-English language for stakeholders to discuss cybersecurity.
  • Standardize the approach for addressing cybersecurity concerns.

The Framework is scalable and technology neutral. According to NIST, the Framework:

  • Complements, and does not replace, an organization's cybersecurity program.
  • Can be used as a reference to establish a cybersecurity program if one does not already exist.
  • Can be used with a broad array of cybersecurity risk management processes, including:
  • International Organization for Standardization (ISO) 31000:20093;
  • ISO/IEC 27005:20114; and
  • NIST Special Publication (SP) 800-395.

For more information on the Framework, including tips for implementing the Framework approach to managing cyber security risk, see Practice Note, The NIST Cybersecurity Framework.