Skip to content

NIST Cybersecurity Framework Published

12 February 2014.Cybersecurity.Standard published.Date precision, exact.Evidence grade, primary.2 primary sources

Drivers:

Regulatory requirementSecurity incidentStandardisation

High-profile breaches and critical infrastructure concerns drove government action. Executive Order 13636 mandated framework development. Industry sought common approach to demonstrate due diligence.

The NIST Cybersecurity Framework is like a checklist that helps organisations think about security in an organised way. It breaks security into five areas: know what you have (Identify), protect it (Protect), spot problems (Detect), deal with incidents (Respond), and get back to normal (Recover). Many companies use this framework to plan their security programmes.

NIST Cybersecurity Framework Published event plate

Structured atlas record showing date, domain, evidence grade, source count, and predecessor and successor links.

Event plate: NIST Cybersecurity Framework Published Convergence-divergence layout. The central hero card carries the event year, type, title, evidence grade, domain and era band. 0 predecessor cards on the left feed in with red arrows labelled "absorbs". 0 successor cards on the right derive with red arrows labelled "spawns". Key terms below the hero pin the vocabulary the event introduced. EVENT PLATE Source: https://www.nist.gov/cyberframework 2014 - STANDARD PUBLISHED NIST CybersecurityFramework Published primary evidence Domain: AI and machine learning Era band: E6 AI-scale systems KEY TERMS - VOCABULARY THE EVENT INTRODUCED NIST CSF Identify Protect Detect Convergence-divergence: predecessors absorbed, successors spawned Hero card carries year, evidence and domain. 0 predecessors flow in from the left; 0 successors flow out to the right. Key termsbelow pin the vocabulary the event introduced.

Forecasts and counterfactuals stay labelled as opinion in the event data. Source: Computer History Museum.

Before

Organisations lacked a common language for discussing cybersecurity risk. Multiple frameworks existed but none was universally adopted. Executive Order 13636 (2013) mandated development of a voluntary framework for critical infrastructure protection. Boards and executives struggled to understand security posture.

What changed

NIST published the Cybersecurity Framework (CSF) providing a common taxonomy and approach to managing cybersecurity risk. The five core functions (Identify, Protect, Detect, Respond, Recover) became widely adopted vocabulary. The framework enabled communication between technical and business stakeholders.

How it happened

Following Executive Order 13636 (February 2013), NIST led a collaborative process with industry stakeholders. After workshops and public comment, version 1.0 was published in February 2014. The framework drew on existing standards (ISO 27001, COBIT, NIST SP 800-53) to create an accessible structure.

Outcomes

  • Created common vocabulary for cybersecurity risk
  • Enabled board-level cybersecurity discussions
  • Became de facto US cybersecurity standard
  • Influenced international frameworks and regulations

Limitations

  • Voluntary nature limits enforcement
  • High-level guidance requires interpretation
  • Does not prescribe specific controls
  • Resource-intensive full implementation

Lessons learnt

  • Risk-based frameworks enable flexible application
  • Common vocabulary enables cross-organisational communication
  • Industry collaboration improves adoption
  • Frameworks must evolve with threat landscape

Stakeholders and artefacts

Organisations

  • NISTgovernmentDeveloped and published framework
  • DHSgovernmentCritical infrastructure coordination

Artefacts

  • NIST CSFframeworkRisk-based cybersecurity framework with five core functions
  • Framework CorespecificationIdentify, Protect, Detect, Respond, Recover functions

Key terms

NIST CSFIdentifyProtectDetectRespondRecoverrisk management

Causality

Preceded by: Morris Worm: First Major Internet Worm.

On this course

Read in the path Cybersecurity: Threats and Defences.

Sources

1"Framework for Improving Critical Infrastructure Cybersecurity". NIST, 2014-02-12.authoritativewww.nist.gov/cyberframework
2"NIST CSWP 1: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0". NIST, 2014-02-12.authoritativecsrc.nist.gov/pubs/cswp/1/cybersecurity-framework-v10/final