NIST Cybersecurity Framework

What is the NIST Cybersecurity Framework?

In February 2014 the U.S. National Institute of Standards and Technology (NIST) published the Framework for Improving Critical Infrastructure Cybersecurity, known as the NIST Cybersecurity Framework. The Framework helps an entity organize its existing security and risk management practices and programs and identify areas for improvement. The Cybersecurity Framework aligns with NIST’s security and privacy standards and guidelines. Organizations are able to link existing security approaches to the Framework’s core Functions – Identify, Protect, Detect, Respond, and Recover. To download the NIST Cybersecurity Framework, visit: To download the NIST Cybersecurity Framework, visit:

Who Uses the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is publicly available for download and free to use by government and industry organizations. When first published in February 2014, the Framework was aimed at operators of national critical infrastructure, and has since been referenced by a wide range of businesses and organizations across industries.

Updates to the NIST Cybersecurity Framework

Position Statement from CISQ

The Consortium for Information & Software Quality is in support of NIST’s efforts to develop the Cybersecurity Framework. CISQ has submitted comments during open review periods. The Cybersecurity Framework explains “what to do” to develop, acquire, modernize and secure IT-intensive systems, and leaves “how to do it” open to an organization to customize with practices.

CISQ’s contributions to the NIST Cybersecurity Framework are automatable source code standards for measuring software size and software structural quality. [See Automated Quality Characteristic Measures for measuring security and reliability, based on the aggregation of critical violations of good coding and architectural practice for each measure]. Automated code quality metrics make it feasible to measure software reliability and security at regular intervals – at each release cycle, in Agile/DevOps accelerated environments, or when evaluating technical deliverables from suppliers or outsourced IT service providers.

Updates in Version 1.1 of the NIST Cybersecurity Framework promote these points:

  • Formal agreements of baseline requirements for suppliers and partners
  • The monitoring of cyber risk, similar to financial risk or operational risk
  • Metrics measurement

CISQ provides the metrics for software that are necessary to meet the requirements of the NIST Cybersecurity Framework. To leverage CISQ resources for these efforts, view the Use Cases section of our website.