On February 12, 2014, the National Institute of Standards and Technology (NIST) released the final Cybersecurity Framework, a voluntary, how-to guide to help organizations in the critical infrastructure community better manage cybersecurity risk. The guide was developed in response to President Obama's Executive Order on Improving Critical Infrastructure Cybersecurity last year (see Legal Update, Obama Issues Cybersecurity Executive Order) and consolidates the input NIST received from multiple stakeholders on relevant standards, best practices and guidelines (see also Legal Update, NIST Publishes Preliminary Cybersecurity Framework).

The Framework aims to provide:

It contains three key elements:

The Framework Core is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. It consists of five functions (identify, protect, detect, respond and recover). For each function, the Framework Core identifies underlying key categories and subcategories of cybersecurity outcomes, and matches them with example informative references such as existing standards and guidelines.

The Framework Tiers provide context on how an organization views cybersecurity risk and the processes in place to manage it. The four tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices.

The Framework Profile is the alignment of functions, categories and subcategories identified in the Framework Core with the organization's business requirements, risk tolerance and resources. A Framework Profile aims to allow an organization to create a roadmap for reducing cybersecurity risk that is aligned with organizational and sector goals, considers legal and regulatory requirements and industry best practices, and reflects risk management priorities. An organization can use Framework Profiles to both describe the current state and desired target state of specific cybersecurity activities.

The Framework is described as a living document and will be updated as needed to keep pace with changes in technology, threats and other factors, and to incorporate lessons learned from its use. NIST also published a companion roadmap to the Framework, which discusses next steps with the Framework and key areas of development, alignment and collaboration.