As global adoption continues, Steven Cockcroft MSc MBCS MCQI CQP explains the origins and rise in popularity of the NIST Cybersecurity Framework, its relevance and implications for organisations and individuals alike.

Cyber threats have evolved to become increasingly complex and catastrophic as the years go on. The National Institute of Standards and Technology (NIST), in the United States, saw a need to develop a framework of cybersecurity standards that could be applied to critical infrastructure, such as power plants, hospitals and telecommunication. That need was fulfilled by the invention of the NIST Cybersecurity Framework. But were the NIST able to predict how important their framework would become in the years that followed?

A history

Seeing a need to standardise cybersecurity policies and procedures for critical infrastructure, in February 2013, NIST made an executive order to develop a framework. In the order, they established objectives that the framework would have to fulfil. It included:

  • helping critical infrastructure operators identify, assess and manage cyber risk;
  • providing technology neutral guidance and to facilitate critical infrastructure sectors to benefit from competitive market conditions;
  • determining security guidelines and standards which can be applied to all sectors of critical infrastructure;
  • providing guidance for measuring the effectiveness of the application of the Cybersecurity Framework;
  • creating a prioritised, flexible, repeatable, performance-based and cost-effective approach;
  • collaborating with other standards organisations and particular industries to identify areas of improvement.

By 12 February 2014, one year after the executive order, NIST Cybersecurity Framework version 1.0 was released. The Framework had a significant effect on managing the cybersecurity of critical infrastructure throughout the United States and then to other countries as well. As time went on, the framework started to become adopted by industries outside of critical infrastructure, such as retail and public administration.

By April 2018, version 1.1 of the NIST Cybersecurity Framework was released. This new version benefited from lessons learned in implementing the first version. The most significant additions to the latest version of the framework were in the areas of authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain and vulnerability disclosure.

Supply chains can be especially important! The products and services organisations receive from third parties can introduce new cyber risks. Knowing how to manage that risk is crucial. And, if other organisations in the supply chain also comply with the NIST Cybersecurity Framework, effective security hardening becomes even more feasible.

Global adoption boom

The growth of the NIST Cybersecurity Framework started in the United States. By 2015, 30% of American organisations implemented the framework; Gartner estimated that it would be adopted by 50% of American organisations by 2020.

As mentioned, the NIST Cybersecurity Framework also gained popularity outside of the United States.

Stewart Daniels, of the government of Bermuda, said in November 2018: ‘When the NIST Cybersecurity Framework was first introduced, it was introduced at fairly senior levels, to members of cabinet. And they were very responsive to that. And they were very impressed that this was a framework that was endorsed and developed by the US federal government. And they were also impressed by the alignment with other standards such as COBIT and ISO, for example.’

Koji Ueno, Chairperson of the Japanese Cross-Sector Forum said in October 2018: ‘Since the NIST Cybersecurity Framework is globally applied, it has helped the cross-sector forum have a shared language among different industry sectors and facilitated our comprehensive discussions between member companies in Japan and their subsidiaries outside Japan.’

The World Energy Council reported in 2016: ‘The adoption of a common cross-sector cybersecurity framework, such as the US’s National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity can support the development of a comprehensive cybersecurity framework and create efficiencies, facilitate communication across energy supply chains and stakeholders and locate key areas of cyber risk management. Governments can also drive the establishment of cybersecurity standards. For example, the US NIST Cybersecurity Framework was developed with a view to international adoption; there is value for companies to have a globally consistent framework and standard to avoid confusion, duplication of effort and/or conflicting expectations.’

And, Daniel Caduff, of the Government of Switzerland, said in November 2018: ‘A lot of cybersecurity issues are still about raising awareness among people. It's still about making people aware that cybersecurity is not a state they can achieve, but a process they have to execute, every day again and again. And that's really the huge benefits that this Cybersecurity Framework provided to us, because it's this change of thinking. It's not thinking of security as a state you can achieve, but it's a way of thinking about security as a process. And that's really something that helped us to address the different challenges in cybersecurity.’

The international growth of NIST Cybersecurity Framework adoption has been facilitated by the US Department of Commerce itself. As mentioned in a June 2017 report: ‘NIST’s approach to achieving this alignment is multi-pronged. A short-term effect is achieved by direct discussions with foreign governments to encourage their endorsement of CSF (Cybersecurity Framework) or publication of complimentary national frameworks. To date, NIST has engaged directly with more than 30 foreign governments regarding the CSF. One tangible result of this effort is Italy’s publication of their National Framework for Cyber Security, which is based entirely on the CSF.’

Supply chains often cross international borders, so this spread of NIST Cybersecurity Framework adoption is a promising sign, indeed.

Inspiring others

The NIST Cybersecurity Framework has inspired the creation of similar frameworks in different jurisdictions. The Kingdom of Saudi Arabia’s, Saudi Arabian Monetary Authority (SAMA) launched their own Cyber Security Framework version 1.0 in May 2017. From their official document:

‘In view of the ever-growing seriousness of cyber-attacks, we are conscious of the need to stay one-step ahead. The issuance of a Cyber Security Framework (‘framework’) seeks to support our regulated entities in their efforts to have an appropriate cyber security governance and to build a robust infrastructure along with the necessary detective and preventive controls. The framework articulates appropriate controls and provides guidance on how to assess maturity level.’

Their framework applies to all the entities within SAMA’s jurisdiction, including banks, lenders, credit bureaus and all other Saudi Arabian financial institutions.

Role in defence and training

The NIST Cybersecurity Framework not only inspired other frameworks in different countries, it also influenced a cybersecurity framework under the US Department of Defense. The US Military’s cybersecurity maturity model certification (CMMC) not only applies to their own various units, but also to their supply chain of an overwhelming 300,000 companies. Version 1.0 of the CMMC launched in January 2020. The certification element of the framework is particularly important:

‘The CMMC framework adds a certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow, down to its subcontractors in a multi-tier supply chain.’

Foreign government discussions aren’t the only reason why the framework has grown in international popularity. The utility and effectiveness of the framework play a vital role as well. Certification bodies are also seeking to support organisations with NIST certification services, leading to increasing demand for professionals with framework implementation and audit knowledge.

Cybersecurity-professionals.com has seen increasing uptake of its industry first, NCSC certified NIST cybersecurity professional (NCSP) courses, globally since release, early in 2020. Customers have included major global banks, the UK MOD, major telecommunications providers and the Australian Victorian Government.

Forward thinking individuals, globally, have been signing up to the training to enhance their knowledge of the framework and enhance their career prospects as consultancy opportunities increase and NIST inclusion goes from a ‘nice to have’ in job adverts to a ‘must have’. So, what are the benefits to organisations and individuals?

The benefits

According to the NIST, there are eight use cases that organisations can target to leverage the implementation of the cybersecurity framework. These use cases are areas in which the framework can be applied to integrate seamlessly with already existing cybersecurity policies and procedures. They include:

  • integrating enterprise and cybersecurity risk management;
  • evaluating organisational cybersecurity;
  • reporting cybersecurity risks;
  • managing cybersecurity requirements;
  • maintaining a comprehensive understanding of cybersecurity risk;
  • integrating and aligning cybersecurity and acquisition processes;
  • managing the cybersecurity programme;
  • informing the tailoring process.

There are many benefits for individuals to be able to demonstrate their understanding of the NIST Cybersecurity Framework. Becoming a certified NIST cybersecurity pofessional (NCSP) is one way to increase knowledge and demonstrate understanding of the framework to customers and future employers, as adoption of the framework globally continues.

A growing need

Cyber threats to organisations of all kinds are getting increasingly complex. More and more entities in all sectors are starting to understand that, not only do they need specific policies and procedures for security hardening and incident response, but they also need a framework for the development and maintenance of those policies. This explains the popularity of the NIST Cybersecurity Framework and increasing global adoption.

If individuals would like to pursue a career in any one of the multitudes of technical or managerial roles, becoming a certified NIST Cybersecurity Professional (NCSP) is going to be absolutely expected as global adoption continues. Requirements for NIST-CSF knowledge, skills and competence is already growing, as evidenced through its increasing inclusion in job advertisements globally.

The world now sees a need for everyone to be on the same page when it comes to developing and enforcing policies, managing risk and continually improving cybersecurity arrangements throughout their networks and organisations. It would appear governments, regulators and organisations, globally, are turning to the NIST Cybersecurity Framework to enable that.

About the author

Steven Cockcroft MSc MBCS MCQI CQP is the owner of Mile House Consulting Ltd and CySec Professionals Ltd.

His record of accomplishment includes operational delivery, training and consultancy to global organisations and individuals and he has earned a reputation for delivering programmes to drive management system implementations and certification across large, geographically dispersed organisations. He has led over 30 organisations, of all sizes and in all markets, to certification to established international and national standards in the areas of information security and business continuity.

He holds accredited trainer status from multiple organisations, including the UK National Cyber Security Centre. He holds or has held memberships to several professional organisations including, the British Computer Society, the Institute of Risk Management, the Chartered Quality Institute and Transparency International.

CySec Professionals Ltd, through its wholly owned professionals, graduates and academy focused websites as well as growing and engaged global social media networks, aims to enable opportunity, education and inspiration for existing and future cybersecurity professionals worldwide.