This publication and the abstract below is published by NIST. ICIT strongly encourages you to visit the NIST Publication Library to search for additional information security resources which are freely available.

NIST Cybersecurity Framework : Helping organizations to better understand and improve their management of cybersecurity risk

The United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. Similar to financial and reputational risks, cybersecurity risk affects a company’s bottom line. It can drive up costs and affect revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. Cybersecurity can be an important and amplifying component of an organization’s
overall risk management.

To better address these risks, the Cybersecurity Enhancement Act of 20141 (CEA) updated the role of the National Institute of Standards and Technology (NIST) to include identifying and developing cybersecurity risk frameworks for voluntary use by critical infrastructure owners and operators. Through CEA, NIST must identify “a prioritized, flexible, repeatable, performancebased, and cost-effective approach, including information security measures and controls that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks.” This formalized NIST’s previous work developing Framework Version 1.0 under Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity” (February 2013), and provided guidance for future Framework evolution. The Framework that was developed under EO 13636, and continues to evolve according to CEA, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business and organizational needs without placing additional regulatory requirements on businesses.