- 11 May 2023
- London

About the author
Roland Thomas
Manager | Corporate Development
Roland Thomas is Thomas Murray’s Associate Director, Corporate Development. He started in 2018 as an intern and now works on all aspects of our strategy, corporate finance and business development. Since 2019, he has been responsible for establishing Thomas Murray’s cyber risk business. In 2020 he oversaw the launch of Orbit Security, a threat intelligence and security ratings platform, and developed our expert cyber risk consultancy.
The US’s National Institute of Standards and Technology created a voluntary cyber security framework. The aim was to strengthen the cyber security of critical infrastructure in the private sector.
Since it was created in 2014, the NIST framework has become internationally significant, either adopted as-is or forming the basis for regulatory approaches in other jurisdictions. It is used in Israel and Japan, for example, and its influence can be seen in the EU’s Digital Operational Resilience Act (DORA).
The practices, standards and guidelines that form the NIST framework were last updated in 2018. Another update was promised for 2022, but is still pending. Revisions will be based on public feedback in three main areas:
- What changes are needed to the framework itself;
- How the framework interacts with other resources; and
- The aspects of cyber security in the supply chain that need strengthening.
NIST’s Chief Cybersecurity Advisor, Kevin Stine, had this to say of the review:
“There is no single issue driving this change. This is a planned update to keep the [framework] current and ensure that it is aligned with other tools that are commonly used.”
The NIST framework’s five core functions
The single, overarching aim of what the NIST describes as the framework’s ‘five core functions’ is to give an organisation a strategic overview of its cyber security risks:
- Identify –understand how to manage cyber security risks (to data, systems, assets, etc).
- Protect – safeguarding measures are in place to ensure the delivery of critical infrastructure services.
- Detect – an organisation can clearly define how it identifies cyber security incidents.
- Respond – an organisation has a plan for dealing with various cyber security incidents.
- Recover – an organisation has a plan for operational resilience, including a prioritised list of functions/services and a course of action for repairing affected systems.
A voluntary approach
The NIST framework does not impose any regulatory compliance standards – the NIST talks about organisations “choosing to leverage” the framework, rather than being “required to comply” with it.
At a basic level, the NIST framework can be seen as an attempt to nudge businesses towards treating their cyber security risks as seriously as they do their other operational risks (e.g. financial, supply chain or personnel).
For more information, please get in touch with me and the team.