Five years after the release of the Framework for Improving Critical Infrastructure Cybersecurity, organizations across all sectors of the economy are creatively deploying this voluntary approach to better manage cybersecurity-related risks.
The U.S. Department of Commerce’s National Institute of Standards and Technology issued what is now widely known simply as the “NIST Cybersecurity Framework” Feb. 12, 2014. Its development was the result of a year-long collaborative process involving hundreds of organizations and individuals from industry, academia and government agencies, according to a NIST release.
“Although the Cybersecurity Framework was developed initially with a focus on our critical infrastructure, such as transportation and the electric power grid, today it is having a much broader, positive impact in this country and around the world,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan.
“NIST is committed to ensuring that even more organizations, especially smaller companies, know about and are able to use the Cybersecurity Framework to help strengthen the security of their systems, operations and data, and to make wise, cost-effective choices to mitigate cybersecurity and privacy risks,” said Copan.
Interest in using the Cybersecurity Framework is increasing. The framework’s first update, Version 1.1 released in April 2018, has been downloaded more than 267,000 times. Overall, the framework has been downloaded more than half a million time since its initial publication in 2014, NIST reported.
Although its use is voluntary for the private sector, it became mandatory for all U.S. federal agencies through a 2017 Presidential executive order.
The Cybersecurity Framework has been translated into Hebrew, Italian, Japanese and most recently, Spanish . Portuguese and Arabic translations are expected soon. Multiple countries reference or draw upon the framework in their own approaches. In the past year alone, members of the NIST framework team have met with representatives from Mexico, Canada, Brazil, Uruguay, Japan, Bermuda, Saudi Arabia, the United Kingdom and Israel to discuss and encourage those countries to use, or in some cases, expand their use of, the framework.
NIST actively reaches out to industry through regular webcasts that have so far reached 10,000 participants from 30-plus countries.
More than 900 participants took part in the November 2018 NIST Cybersecurity Risk Management Conference — an extension of annual NIST workshops focusing on the Cybersecurity Framework. Over the nine workshops and conferences to develop and evolve the Cybersecurity Framework, more than 3,500 participants provided suggestions for refinement and taken away ideas about using the framework for cybersecurity risk management.
NIST published a catalog of online learning modules and success stories that describe how various organizations are using the framework including lessons learned.
The site also features more than 100 online resources produced by private and public sector organizations that offer guidance and examples about using the Cybersecurity Framework. Feedback and questions — along with requests for email alerts — can be sent to firstname.lastname@example.org.