as a 


The framework provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes."  Version 1.0 was published by the US National Institute of Standards and Technology in 2014, originally aimed at operators of critical infrastructure. It is being used by a wide range of businesses and organizations and helps shift organizations to be proactive about risk management.

A security framework adoption study reported that 70% of the surveyed organizations see NIST's
framework as a popular best practice for computer security, but many note that it requires significant investment. 

It includes guidance on relevant protections for privacy and civil liberties.




Compliance and Regulatory Framework Industries

The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks. The framework has been translated to many languages and is used by the governments of Japan and Israel, among others.

In 2017, NIST published the NIST Baldrige Cyber Security Excellence Builder which leverages the 2014 framework. It includes a simpler self-assessment.  The questions are divided into six areas and a results section.

  • Leadership
  • Strategy
  • Customers
  • Measurement, Analysis and Knowledge Management
  • Workforce
  • Operations, and
  • Results