Security framework usage growing at steady rate

The Cybersecurity Framework created by the National Institute of Standards and Technology (NIST) is currently being used by 30% of U.S. organizations and is expected to reach 50% by 2020.


In 2014, the National Institute of Standards and Technology (NIST) released a document designed to help strengthen cybersecurity at organizations that manage critical national infrastructure such as banking and the energy supply.

Produced after a year of intensive collaboration with industry, the Cybersecurity Framework is now a tool used by a wide variety of public and private companies and organizations.

Executive Order 13636 issued by President Obama called for NIST to work with stakeholders to develop a voluntary framework based on existing cyber security standards, guidelines and practices to reduce risks to the nation's critical infrastructure. Through an intense schedule of meetings across the country, NIST convened organizations large and small and from a variety of industries to shape the framework in just a year.

As soon as the framework published, the NIST team began traveling throughout the U.S. and internationally to share how it can help organizations manage their cyber risk. The framework is now used by 30% of U.S. organizations, according to the information technology research company Gartner, and that number will reach 50% by 2020.

Universities and other organizations also rely on its guidance. In addition to private organizations in other countries, other governments, such as Italy, are using it as the foundation for their national cybersecurity guidelines.

The framework operates as a "Rosetta Stone" that helps translate sector specific risk management jargon and, "Creates a common understanding amongst the sectors around various risk management terms and phrases," according to a report by the Financial Services Sector Coordinating Council (FSSCC).

The FSSCC report also observed that "[C]hief Information Security Officers have been using it to communicate ideas and achieve 'buy-in' for various cyber security initiatives. Externally, institutions are using it to communicate expectations and requirements to non-sector vendors and third parties."

The framework is a risk-based approach to managing cybersecurity, and its foundation relies on more than a decade of NIST guidance in cyber security and on international standards. The framework's core ideas—identify, protect, detect, respond and recover—help users evaluate their cyber risk and develop plans to manage it. It can guide them as they determine the cyber controls they choose, with consideration of any regulation or standards that may apply to their particular industry sector.

The document is also "A merger of business sense and cyber-logic," said Matt Barrett, NIST's program manager for the Cybersecurity Framework. When all top management understands risk, cyber security can end up factored appropriately into business decisions, he said. "It allows organizations to choose controls and processes that work for their particular risk levels and mission or business needs."

Users and cyber security-related organizations are helping promote the framework through their own publications and educational efforts.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (, a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on Edited by Chris Vavra, production editor, CFE Media, Control

ONLINE extra

See additional stories from ISSSource about cyber security below.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Integrated mobility; Artificial intelligence; Predictive motion control; Sensors and control system inputs; Asset Management; Cybersecurity
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me