top of page

What you must know about the NIST Cybersecurity Framework

Updated: May 12, 2020

Cyber attacks are a bigger problem than ever before. A single ransomware incident from organised crime can cost an organisation millions of dollars or pounds in lost intellectual property and productivity. A data breach can cost an organisation millions of dollars or pounds in reputation damage, regulatory fines, and litigation. And that's just scratching the surface of the ever-evolving cyber threat landscape!

Standardisation is a must. Security hardening is a highly complex matter, so having a policy framework that’s carefully designed to be responsive to today’s cybersecurity needs is very helpful for organisations large and small. So, when the National Institute of Standards and Technology (NIST) debuted the NIST Cybersecurity Framework in 2014, a tremendous need was fulfilled.

A brief history of the NIST Cybersecurity Framework

When Version 1.0 of the NIST Cybersecurity Framework was released in 2014, the focus was on critical infrastructure, such as public utilities, telecommunications, and healthcare. Those are the sort of services that if interrupted would seriously disrupt modern society, possibly causing many deaths. It makes perfect sense that critical infrastructure would be the Framework's first target. A lot of critical entities use decades-old computer technology, and highly vulnerable ICS and SCADA systems. That sort of technology is also a lucrative target for international cyber-warfare.

Version 1.1 was published in 2018. The scope of the Framework was considerably broadened, to also encompass retail, academia, local governments, and businesses of many sizes and industries. Cyber attacks to those sectors can also threaten national security. Attacks to those targets can endanger intellectual property, sensitive financial data, and put many sorts of valuable assets and services at risk.

Organisations need to customise their security policies and procedures to suit their specific activities, infrastructure, and industry-specific regulations. But meeting the NIST Cybersecurity Framework is a crucial starting point.

NIST Cybersecurity Framework global adoption growth

Because the NIST Cybersecurity Framework meets a great need many organisations have, its adoption growth made significant progress in the United States. From NIST’s February 2016 press release:

“As soon as the framework was published, the NIST team began traveling throughout the US and internationally to share how it can help organisations manage their cyber risk. The framework is now used by 30 percent of US organisations, according to the information technology research company Gartner, and that number is projected to reach 50 percent by 2020.”

In March 2016, Tenable released its Trends in Security Framework Adoption Study. They said:

“According to the survey results, 29% of organisations leverage the NIST Cybersecurity Framework (CSF) and overall security confidence is higher for those using this framework. Additionally, more than 70% of respondents who have adopted or plan to adopt the NIST CSF view it as an industry best practice. It’s also the most likely security framework to be adopted by organisations over the next year.”

Numerous industry surveys from organisations such as Gartner, Tenable and Cisco indicate sustained and increasing use of the framework over time. In May 2017, President Trump issued Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which directs all federal agencies to use the Cybersecurity Framework.

Corporations, organisations and countries around the world, including Italy, Israel and Uruguay, have adopted the framework, or their own adaptation of it.

The NIST Cybersecurity Framework has quickly become one of the most adopted security frameworks ever. And once an organisation has implemented it, they feel greater confidence in their security posture and work to make sure it’s maintained.

NIST Cybersecurity Framework benefits

Admittedly, implementing the NIST Cybersecurity Framework requires a lot of work and investment. But with the rapid growth of its adoption around the world, it’s easy to see why so many organisations consider it to be worth the effort.

Security standards were very fragmented and inconsistent before the publication of the NIST Cybersecurity Framework. It could be difficult for organisations to decide which, if any, to choose in their security hardening and procedures. Additionally, the lack of consistency made it difficult for organisations to maintain a good security baseline. Organisations are choosing to implement the NIST Cybersecurity Framework because their stakeholders and trading partners are likely implementing it as well. And the Framework is a clear set of standards which can be used by entities of various sizes and industries.

The Framework was originally designed to secure critical infrastructure. Due to how devastating cyber attacks can be to public utilities and the like, the standards for securing those entities should be very, very high. If the Framework is good enough for a nuclear power plant, it should definitely be good enough for your business!

The Framework addresses the cost-effectiveness of cybersecurity risk management. That's vital to many organisations because you don't want to spend millions of dollars on a measure that doesn't measurably improve the security of your infrastructure.

It's worth noting that the Framework was designed to benefit entire organisations, not just their IT departments. In NIST's own words: "The Framework balances comprehensive risk management, with a language that is adaptable to the audience at hand. More specifically, the Function, Category, and Subcategory levels of the Framework correspond well to organisational, mission/business, and IT and operational technology (OT)/industrial control system (ICS) systems-level professionals. This enables accurate and meaningful communication, from the C-Suite to individual operating units and with supply chain partners. It can be especially helpful in improving communications and understanding between IT specialists, OT/ICS operators, and senior managers of the organisation." Cyber attacks could enter from any point, so it's good to know that the Framework is absolutely comprehensive.

Accredited NIST Cybersecurity Professional (NCSP) Training Options

So, the NIST has published a very useful Framework that’s in growing global demand. If you’re a security professional, being able to demonstrate your understanding of the Framework to potential employers could really boost your career. And if you’re an organisation looking to train the personnel you already employ, the program you choose must have proven effectiveness.

Through it’s cybersecurity academy website (, CySec Professionals Ltd, currently offers three courses within the NIST Cybersecurity Professional (NCSP) program, the only program that's GCHQ (UK) and DHS (US) approved and is accredited by APMG International. It's clearly the best way to prepare security practitioners and organisations for implementing the NIST Cybersecurity Framework.

There are two routes to becoming a highly sought after NIST Cybersecurity Professional Practitioner:

1. Professionals can choose to acquire the NIST Cybersecurity Professional Foundation Certificate course and associated exam. Then they can enroll in the NIST Cybersecurity Professional Practitioner Certificate course, which includes the exam and everything that’s needed for training.

2. An alternate option for practitioners is to consider the NIST Cybersecurity Professional Boot Camp course, which combines both the Foundation Course and Practitioner course materials into one course and includes a single exam.

All levels of the NIST Cybersecurity Professional program are available as online self-study, virtual instructor-led and traditional classroom-based delivery options - and include exam fees.

Authored by Kim Crawley:


bottom of page