The framework provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes." Version 1.0 was published by the US National Institute of Standards and Technology in 2014, originally aimed at operators of critical infrastructure. It is being used by a wide range of businesses and organizations and helps shift organizations to be proactive about risk management.
A security framework adoption study reported that 70% of the surveyed organizations see NIST's
framework as a popular best practice for computer security, but many note that it requires significant investment.
It includes guidance on relevant protections for privacy and civil liberties.
In 2017, NIST published the NIST Baldrige Cyber Security Excellence Builder which leverages the 2014 framework. It includes a simpler self-assessment. The questions are divided into six areas and a results section.