NIST Cybersecurity Framework

Executive Order 13636, issued in February 2013, established a requirement for the development of a voluntary risk-based cybersecurity framework. The resultant framework includes industry standards and best practices to help organizations manage cybersecurity risks.

The framework was created under the leadership of the National Institute of Standards and Technology (NIST), which facilitated collaboration between government and the private sector to develop a baseline to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. The framework is in use today, providing a starting point for entities to implement cybersecurity measures for their organizations.

There are several different types of combinations of authentication. Higher levels of security are generally associated with more levels of authentication (multifactor). For example, two-factor authentication might include a token and a password. Kerberos is a protocol for authentication that is made up of two components: a ticket (distributed by a service) for user authentication and a key that is developed from the user's password. Another authentication scheme is the Challenge-Handshake Authentication Protocol (CHAP), which uses a representation (hash) of the user's password to authenticate.

Focus your study on the first 17 pages of the following resource.

Resources

NIST Cybersecurity Framework

Check Your Knowledge

Choose the best answer to each question:

Question 1

The NIST framework was established under which of the following orders?

FISMA

PDD-23

EO 13636

NIST 800-53

Incorrect. The NIST framework was not established under FISMA. Try again.

Incorrect. The NIST framework was not established under PDD-23, which is a presidential directive on foreign access to remote sensing space. Try again.

That's correct. Executive Order 13636, signed in February 2013, focused on critical infrastructure cybersecurity and established the requirement for the NIST cybersecurity framework.

Incorrect. NIST 800-53 is a NIST policy, but it did not establish the NIST framework. Try again.

Question 2

Which of the following best describes the NIST framework?

It is a mandatory risk-based framework—a set of industry standards and best practices meant to help manage cybersecurity risks.

It is a voluntary risk-based framework—a set of industry standards and best practices to meant to help manage cybersecurity risks.

It is a voluntary asset-based framework—a set of industry standards and best practices meant to help identify cybersecurity assets at risk.

It is a mandatory risk-based framework—a set of government-wide standards and best practices meant to help manage cybersecurity risks.

Incorrect. The NIST framework is not mandatory. Try again.

That's correct. The NIST framework is a voluntary risk-based framework—a set of industry standards and best practices meant to help manage cybersecurity risks.

Incorrect. The NIST framework does not help identify cybersecurity assets at risk. Try again.

Incorrect. The NIST framework is not mandatory. Try again.

Question 3

Which of the following is true of the NIST framework?

The framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure.

The framework does not address critical infrastructure.

The framework is required only for organizations that do business with the US government.

The framework is required only for organizations that do business abroad.

That's correct. The NIST framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure.

This is not accurate. The NIST framework does address critical infrastructure. Try again.

This is not accurate. The NIST framework is not a requirement for any organization. Try again.

This is not accurate. The NIST framework is not required for any organization. Try again.