Security controls or security measures are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security , such controls protect the confidentiality, integrity and availability of information .
63-559: The NIST Cybersecurity Framework ( CSF ) is a set of voluntary guidelines designed to help organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks. Developed by the U.S. National Institute of Standards and Technology (NIST), the framework was initially published in 2014 for critical infrastructure sectors but has since been widely adopted across various industries, including government and private enterprises globally. The framework integrates existing standards, guidelines, and best practices to provide
126-526: A metrology agency, the Bureau of Standards was directed by Herbert Hoover to set up divisions to develop commercial standards for materials and products. Some of these standards were for products intended for government use, but product standards also affected private-sector consumption. Quality standards were developed for products including some types of clothing, automobile brake systems and headlamps, antifreeze , and electrical safety. During World War I ,
189-476: A neutron science user facility: the NIST Center for Neutron Research (NCNR). The NCNR provides scientists access to a variety of neutron scattering instruments, which they use in many research fields (materials science, fuel cells, biotechnology, etc.). The SURF III Synchrotron Ultraviolet Radiation Facility is a source of synchrotron radiation , in continuous operation since 1961. SURF III now serves as
252-511: A 2016 survey, 70% of organizations view the NIST Cybersecurity Framework as a best practice for computer security, though some have noted that implementation can require significant investment. The framework is designed to be flexible and adaptable, providing high-level guidance that allows individual organizations to determine the specifics of implementation based on their unique needs and risk profiles. Version 1.0 of
315-582: A NIST team as part of a DARPA competition. In September 2013, both The Guardian and The New York Times reported that NIST allowed the National Security Agency (NSA) to insert a cryptographically secure pseudorandom number generator called Dual EC DRBG into NIST standard SP 800-90 that had a kleptographic backdoor that the NSA can use to covertly predict the future outputs of this pseudorandom number generator thereby allowing
378-665: A baseline profile based on their sector or specific industry needs. Research indicates that the NIST Cybersecurity Framework has the potential to influence cybersecurity standards both within the United States and internationally, particularly in sectors where formal cybersecurity standards are still emerging. This influence could foster better international cybersecurity practices, benefiting businesses that operate across borders and contributing to global cybersecurity efforts. The NIST Cybersecurity Framework organizes its "core" material into five "functions" which are subdivided into
441-694: A combination of vacuum tubes and solid-state diode logic. About the same time the Standards Western Automatic Computer , was built at the Los Angeles office of the NBS by Harry Huskey and used for research there. A mobile version, DYSEAC , was built for the Signal Corps in 1954. Due to a changing mission, the "National Bureau of Standards" became the "National Institute of Standards and Technology" in 1988. Following
504-494: A detected cybersecurity incident." "Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident." In 2021 NIST released Security Measures for "EO-Critical Software" Use Under Executive Order (EO) 14028 to outline security measures intended to better protect the use of deployed EO-critical software in agencies’ operational environments. The NIST Cybersecurity Framework
567-488: A draft of the CSF 2.0 for public comment through November 4, 2023. NIST decided to update the framework to make it more applicable to small and medium size enterprises that use the framework, as well as to accommodate the constantly changing nature of cybersecurity. In August 2024, NIST released a final set of encryption tools designed to withstand the attack of a quantum computer. These post-quantum encryption standards secure
630-451: A flexible and scalable approach to cybersecurity. The framework provides a high-level taxonomy of cybersecurity outcomes and offers a methodology for assessing and managing those outcomes. Additionally, it addresses the protection of privacy and civil liberties in a cybersecurity context. The CSF has been translated into multiple languages and is widely used by governments, businesses, and organizations across various sectors. According to
693-539: A program to provide metrology services for United States scientific and commercial users. A laboratory site was constructed in Washington, DC , and instruments were acquired from the national physical laboratories of Europe. In addition to weights and measures, the Bureau developed instruments for electrical units and for measurement of light. In 1905 a meeting was called that would be the first "National Conference on Weights and Measures". Initially conceived as purely
SECTION 10
#1732773170391756-523: A structured approach to cybersecurity risk management. The CSF is composed of three primary components: the Core, Implementation Tiers, and Profiles. The Core outlines five key cybersecurity functions—Identify, Protect, Detect, Respond, and Recover—each of which is further divided into specific categories and subcategories. These functions offer a high-level, outcome-driven approach to managing cybersecurity risks. The Implementation Tiers help organizations assess
819-703: A subsequent concept paper in January of 2023 with proposed changes. Most recently, NIST released its Discussion Draft: The NIST Cybersecurity Framework 2.0 Core with Implementation Examples and has requested public comments be submitted by November 4, 2023. The following is a list of the major changes to the framework from version 1.1 to 2.0: [REDACTED] This article incorporates public domain material from NIST Cybersecurity Framework (PDF) . National Institute of Standards and Technology . National Institute of Standards and Technology The National Institute of Standards and Technology ( NIST )
882-521: A total of 23 "categories". For each category, it defines a number of subcategories of cybersecurity outcomes and security controls , with 108 subcategories in all. For each subcategory, it also provides "Informative Resources" referencing specific sections of a variety of other information security standards, including ISO 27001 , COBIT , NIST SP 800-53, ANSI/ISA-62443, and the Council on CyberSecurity Critical Security Controls (CCS CSC, now managed by
945-644: A user-accessible cleanroom nanomanufacturing facility. This "NanoFab" is equipped with tools for lithographic patterning and imaging (e.g., electron microscopes and atomic force microscopes ). NIST has seven standing committees: As part of its mission, NIST supplies industry, academia, government, and other users with over 1,300 Standard Reference Materials (SRMs). These artifacts are certified as having specific characteristics or component content, used as calibration standards for measuring equipment and procedures, quality control benchmarks for industrial processes, and experimental control samples. NIST publishes
1008-548: A wide range of electronic information, from confidential email messages to e-commerce transactions that propel the modern economy. Four scientific researchers at NIST have been awarded Nobel Prizes for work in physics : William Daniel Phillips in 1997, Eric Allin Cornell in 2001, John Lewis Hall in 2005 and David Jeffrey Wineland in 2012, which is the largest number for any US government laboratory not accounting for ubiquitous government contracts to state institutions and
1071-479: Is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical science laboratory programs that include nanoscale science and technology , engineering , information technology , neutron research, material measurement, and physical measurement. From 1901 to 1988, the agency
1134-516: Is found in NIST Special Publication SP 800-53. FIPS 200 identifies 17 broad control families: National Institute of Standards and Technology A maturity based framework divided into five functional areas and approximately 100 individual controls in its "core." A database of nearly one thousand technical controls grouped into families and cross references. A proprietary control set published by ISACA. Formerly known as
1197-415: Is meant to be a living document, meaning it will be updated and improved over time to keep up with changes in technology and cybersecurity threats, as well as to integrate best-practices and lessons learned. Since releasing version 1.1 in 2018, stakeholders have provided feedback that the CSF needed to be updated. In February 2022, NIST released a request for information on ways to improve the CSF, and released
1260-649: Is now the Handbook 44 since 1918 and began publication under the current name in 1949. The 2010 edition conforms to the concept of the primary use of the SI (metric) measurements recommended by the Omnibus Foreign Trade and Competitiveness Act of 1988 . NIST is developing government-wide identity document standards for federal employees and contractors to prevent unauthorized persons from gaining access to government buildings and computer systems. In 2002,
1323-575: Is providing practical guidance and tools to better prepare facility owners, contractors, architects, engineers, emergency responders, and regulatory authorities to respond to future disasters. The investigation portion of the response plan was completed with the release of the final report on 7 World Trade Center on November 20, 2008. The final report on the WTC Towers—including 30 recommendations for improving building and occupant safety—was released on October 26, 2005. NIST works in conjunction with
SECTION 20
#17327731703911386-575: The Biden administration began plans to create a U.S. AI Safety Institute within NIST to coordinate AI safety matters. According to The Washington Post , NIST is considered "notoriously underfunded and understaffed", which could present an obstacle to these efforts. NIST, known between 1901 and 1988 as the National Bureau of Standards (NBS), is a measurement standards laboratory , also known as
1449-546: The Center for Internet Security ). Special Publications (SP) aside, most of the informative references requires a paid membership or purchase to access their respective guides. The cost and complexity of the framework has resulted in bills from both houses of Congress that direct NIST to create Cybersecurity Framework guides that are more accessible to small and medium businesses. Here are the functions and categories, along with their unique identifiers and definitions, as stated in
1512-462: The Constitution of the United States , ratified in 1789, granted these powers to the new Congress: "The Congress shall have power ... To coin money, regulate the value thereof, and of foreign coin, and fix the standard of weights and measures". In January 1790, President George Washington , in his first annual message to Congress , said, "Uniformity in the currency, weights, and measures of
1575-752: The Handbook 44 each year after the annual meeting of the National Conference on Weights and Measures (NCWM). Each edition is developed through cooperation of the Committee on Specifications and Tolerances of the NCWM and the Weights and Measures Division (WMD) of NIST. The purpose of the book is a partial fulfillment of the statutory responsibility for "cooperation with the states in securing uniformity of weights and measures laws and methods of inspection". NIST has been publishing various forms of what
1638-568: The National Construction Safety Team Act mandated NIST to conduct an investigation into the collapse of the World Trade Center buildings 1 and 2 and the 47-story 7 World Trade Center. The "World Trade Center Collapse Investigation", directed by lead investigator Shyam Sunder, covered three aspects, including a technical building and fire safety investigation to study the factors contributing to
1701-559: The National Medal of Science has been awarded to NIST researchers Cahn (1998) and Wineland (2007). Other notable people who have worked at NBS or NIST include: Since 1989, the director of NIST has been a Presidential appointee and is confirmed by the United States Senate , and since that year the average tenure of NIST directors has fallen from 11 years to 2 years in duration. Since the 2011 reorganization of NIST,
1764-737: The September 11, 2001 attacks, under the National Construction Safety Team Act (NCST), NIST conducted the official investigation into the collapse of the World Trade Center buildings. Following the 2021 Surfside condominium building collapse , NIST sent engineers to the site to investigate the cause of the collapse. In 2019, NIST launched a program named NIST on a Chip to decrease the size of instruments from lab machines to chip size. Applications include aircraft testing, communication with satellites for navigation purposes, and temperature and pressure. In 2023,
1827-870: The Technical Guidelines Development Committee of the Election Assistance Commission to develop the Voluntary Voting System Guidelines for voting machines and other election technology. In February 2014 NIST published the NIST Cybersecurity Framework that serves as voluntary guidance for organizations to manage and reduce cybersecurity risk. It was later amended and Version 1.1 was published in April 2018. Executive Order 13800, Strengthening
1890-842: The Treaty of the Meter , which established the International Bureau of Weights and Measures under the control of an international committee elected by the General Conference on Weights and Measures . NIST is headquartered in Gaithersburg, Maryland , and operates a facility in Boulder, Colorado , which was dedicated by President Eisenhower in 1954. NIST's activities are organized into laboratory programs and extramural programs. Effective October 1, 2010, NIST
1953-700: The proximity fuze and the standardized airframe used originally for Project Pigeon , and shortly afterwards the autonomously radar-guided Bat anti-ship guided bomb and the Kingfisher family of torpedo-carrying missiles. In 1948, financed by the United States Air Force, the Bureau began design and construction of SEAC , the Standards Eastern Automatic Computer. The computer went into operation in May 1950 using
NIST Cybersecurity Framework - Misplaced Pages Continue
2016-406: The Bureau worked on multiple problems related to war production, even operating its own facility to produce optical glass when European supplies were cut off. Between the wars, Harry Diamond of the Bureau developed a blind approach radio aircraft landing system. During World War II, military research and development was carried out, including development of radio propagation forecast methods,
2079-646: The Cybersecurity of Federal Networks and Critical Infrastructure , made the Framework mandatory for U.S. federal government agencies. An extension to the NIST Cybersecurity Framework is the Cybersecurity Maturity Model (CMMC) which was introduced in 2019 (though the origin of CMMC began with Executive Order 13556). It emphasizes the importance of implementing Zero-trust architecture (ZTA) which focuses on protecting resources over
2142-702: The EC-DRBG algorithm from the NIST SP 800-90 standard. In addition to these journals, NIST (and the National Bureau of Standards before it) has a robust technical reports publishing arm. NIST technical reports are published in several dozen series, which cover a wide range of topics, from computer technology to construction to aspects of standardization including weights, measures and reference data. In addition to technical reports, NIST scientists publish many journal and conference papers each year; an database of these, along with more recent technical reports, can be found on
2205-536: The NIST cryptography process because of its recognized expertise. NIST is also required by statute to consult with the NSA." Recognizing the concerns expressed, the agency reopened the public comment period for the SP800-90 publications, promising that "if vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible". Due to public concern of this cryptovirology attack, NIST rescinded
2268-482: The NIST website. Security control Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency. Security controls can be classified by various criteria. For example, controls can be classified by how/when/where they act relative to a security breach (sometimes termed control types ): Security controls can also be classified according to
2331-600: The National Metrological Institute (NMI), which is a non-regulatory agency of the United States Department of Commerce . The institute's official mission is to: Promote U.S. innovation and industrial competitiveness by advancing measurement science , standards , and technology in ways that enhance economic security and improve our quality of life . NIST had an operating budget for fiscal year 2007 (October 1, 2006 – September 30, 2007) of about $ 843.3 million. NIST's 2009 budget
2394-461: The Profiles allow organizations to tailor the framework to their specific requirements and risk assessments. Organizations typically start by developing a "Current Profile" to describe their existing cybersecurity practices and outcomes. From there, they can create a "Target Profile" to outline the desired future state and define the steps needed to achieve it. Alternatively, organizations can adopt
2457-729: The SANS Critical Security Controls now officially called the CIS Critical Security Controls (COS Controls). The CIS Controls are divided into 18 controls. The Controls are divided further into Implementation Groups (IGs) which are a recommended guidance to prioritize implementation of the CIS controls. In telecommunications, security controls are defined as security services as part of the OSI model : These are technically aligned. This model
2520-511: The US national standard for source-based radiometry throughout the generalized optical spectrum. All NASA -borne, extreme-ultraviolet observation instruments have been calibrated at SURF since the 1970s, and SURF is used for the measurement and characterization of systems for extreme ultraviolet lithography . The Center for Nanoscale Science and Technology (CNST) performs research in nanotechnology , both through internal research efforts and by running
2583-487: The United States is an object of great importance, and will, I am persuaded, be duly attended to." On October 25, 1791, Washington again appealed Congress: A uniformity of the weights and measures of the country is among the important objects submitted to you by the Constitution and if it can be derived from a standard at once invariable and universal, must be no less honorable to the public council than conducive to
NIST Cybersecurity Framework - Misplaced Pages Continue
2646-522: The country. NIST publishes the Handbook 44 that provides the "Specifications, tolerances, and other technical requirements for weighing and measuring devices". The Congress of 1866 made use of the metric system in commerce a legally protected activity through the passage of Metric Act of 1866 . On May 20, 1875, 17 out of 20 countries signed a document known as the Metric Convention or
2709-493: The director also holds the title of Under Secretary of Commerce for Standards and Technology. Fifteen individuals have officially held the position (in addition to four acting directors who have served on a temporary basis). NIST holds patents on behalf of the Federal government of the United States , with at least one of them being custodial to protect public domain use, such as one for a Chip-scale atomic clock , developed by
2772-433: The framework document. "Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities." "Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services." "Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event." "Develop and implement the appropriate activities to take action regarding
2835-427: The framework has been criticized for the cost and complexity involved in its implementation, particularly for small and medium-sized enterprises. The NIST Cybersecurity Framework (CSF) is a set of guidelines developed by the U.S. National Institute of Standards and Technology (NIST) to help organizations manage and mitigate cybersecurity risks. It draws from existing standards, guidelines, and best practices to provide
2898-411: The framework was published in 2014, primarily targeting operators of critical infrastructure . A public draft of Version 1.1 was released for comment in 2017, and the final version was published on April 16, 2018. Version 1.1 retained compatibility with the original framework while introducing additional guidance on areas such as supply chain risk management. Version 2.0, released in 2024, further expanded
2961-418: The framework's scope and introduced new guidelines on self-assessment and cybersecurity governance. The framework consists of three main components: the "Core," "Profiles," and "Tiers." The Core provides a comprehensive set of activities, outcomes, and references related to various aspects of cybersecurity. The Implementation Tiers help organizations assess their cybersecurity practices and sophistication, while
3024-515: The implementation of the control (sometimes termed control categories ), for example: Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known standards are outlined below. ISO/IEC 27001:2022 was released in October 2022. All organizations certified to ISO 27001:2013 are obliged to transition to
3087-409: The national physical laboratory for the United States. Southard had previously sponsored a bill for metric conversion of the United States. President Theodore Roosevelt appointed Samuel W. Stratton as the first director. The budget for the first year of operation was $ 40,000. The Bureau took custody of the copies of the kilogram and meter bars that were the standards for US measures, and set up
3150-429: The network perimeter. ZTA utilizes zero trust principles which include "never trust, always verify", "assume breach" and "least privileged access" to safeguard users, assets, and resources. Since ZTA holds no implicit trust to users within the network perimeter, authentication and authorization are performed at every stage of a digital transaction. This reduces the risk of unauthorized access to resources. NIST released
3213-499: The new version of the Standard within 3 years (by October 2025). The 2022 version of the Standard specifies 93 controls in 4 groups: It groups these controls into operational capabilities as follows: The previous version of the Standard, ISO/IEC 27001 , specified 114 controls in 14 groups: The Federal Information Processing Standards (FIPS) apply to all US government agencies. However, certain national security systems, under
SECTION 50
#17327731703913276-547: The private sector. All four were recognized for their work related to laser cooling of atoms, which is directly related to the development and advancement of the atomic clock. In 2011, Dan Shechtman was awarded the Nobel Prize in chemistry for his work on quasicrystals in the Metallurgy Division from 1982 to 1984. In addition, John Werner Cahn was awarded the 2011 Kyoto Prize for Materials Science, and
3339-482: The probable cause of the collapses of the WTC Towers (WTC 1 and 2) and WTC 7. NIST also established a research and development program to provide the technical basis for improved building and fire codes, standards, and practices, and a dissemination and technical assistance program to engage leaders of the construction and building community in implementing proposed changes to practices, standards, and codes. NIST also
3402-481: The public convenience. In 1821, President John Quincy Adams declared, "Weights and measures may be ranked among the necessities of life to every individual of human society.". Nevertheless, it was not until 1838 that the United States government adopted a uniform set of standards. From 1830 until 1901, the role of overseeing weights and measures was carried out by the Office of Standard Weights and Measures, which
3465-427: The purview of the Committee on National Security Systems , are managed outside these standards. Federal information Processing Standard 200 (FIPS 200), "Minimum Security Requirements for Federal Information and Information Systems," specifies the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs. The catalog of minimum security controls
3528-426: The sophistication of their cybersecurity practices, while the Profiles allow for customization based on an organization's unique risk profile and needs. Since its inception, the CSF has undergone several updates to reflect the evolving nature of cybersecurity. Version 1.1, released in 2018, introduced enhancements related to supply chain risk management and self-assessment processes. The most recent update, Version 2.0,
3591-431: The standard by NSA). NIST responded to the allegations, stating that "NIST works to publish the strongest cryptographic standards possible" and that it uses "a transparent, public process to rigorously vet our recommended standards". The agency stated that "there has been some confusion about the standards development process and the role of different organizations in it...The National Security Agency (NSA) participates in
3654-415: The surreptitious decryption of data. Both papers report that the NSA worked covertly to get its own version of SP 800-90 approved for worldwide use in 2006. The whistle-blowing document states that "eventually, NSA became the sole editor". The reports confirm suspicions and technical grounds publicly raised by cryptographers in 2007 that the EC-DRBG could contain a kleptographic backdoor (perhaps placed in
3717-523: Was $ 992 million, and it also received $ 610 million as part of the American Recovery and Reinvestment Act . NIST employs about 2,900 scientists, engineers, technicians, and support and administrative personnel. About 1,800 NIST associates (guest researchers and engineers from American companies and foreign countries) complement the staff. In addition, NIST partners with 1,400 manufacturing specialists and staff at nearly 350 affiliated centers around
3780-553: Was named the National Bureau of Standards . The Articles of Confederation , ratified by the colonies in 1781, provided: The United States in Congress assembled shall also have the sole and exclusive right and power of regulating the alloy and value of coin struck by their own authority, or by that of the respective states—fixing the standards of weights and measures throughout the United States. Article 1, section 8, of
3843-719: Was part of the Survey of the Coast—renamed the United States Coast Survey in 1836 and the United States Coast and Geodetic Survey in 1878—in the United States Department of the Treasury . In 1901, in response to a bill proposed by Congressman James H. Southard (R, Ohio), the National Bureau of Standards was founded with the mandate to provide standard weights and measures, and to serve as
SECTION 60
#17327731703913906-451: Was published in 2024, expanding the framework’s applicability and adding new guidance on cybersecurity governance and continuous improvement practices. The NIST Cybersecurity Framework is used internationally and has been translated into multiple languages. It serves as a benchmark for cybersecurity standards, helping organizations align their practices with recognized global standards, such as ISO/IEC 27001 and COBIT . While widely praised,
3969-619: Was realigned by reducing the number of NIST laboratory units from ten to six. NIST Laboratories include: Extramural programs include: NIST's Boulder laboratories are best known for NIST‑F1 , which houses an atomic clock . NIST‑F1 serves as the source of the nation's official time. From its measurement of the natural resonance frequency of cesium —which defines the second —NIST broadcasts time signals via longwave radio station WWVB near Fort Collins , Colorado, and shortwave radio stations WWV and WWVH , located near Fort Collins and Kekaha, Hawaii , respectively. NIST also operates
#390609