Cyber Resilience Frameworks Used in the US

Cyber resilience frameworks provide the structured methodologies that organizations use to anticipate, withstand, recover from, and adapt to cyberattacks and technology-related disruptions. In the US, the framework landscape spans voluntary federal guidance, mandatory sector-specific regulations, and international standards adopted by American industries — creating a layered and sometimes overlapping compliance environment. Understanding how these frameworks are structured, how they relate to one another, and where they diverge is essential for professionals responsible for organizational resilience, regulatory compliance, and continuity planning.

Definition and scope

A cyber resilience framework is a structured set of practices, controls, processes, and governance mechanisms designed to reduce the probability of a disruptive cyber event, limit its impact when it occurs, and restore operational capacity afterward. The term "resilience" distinguishes these frameworks from pure cybersecurity frameworks: where cybersecurity focuses primarily on prevention and detection, resilience explicitly incorporates continuity, recovery, and adaptive capacity.

In the US federal context, the NIST Cybersecurity Framework (CSF) — maintained by the National Institute of Standards and Technology — is the most widely referenced baseline. First published in 2014 under Executive Order 13636 and updated to version 2.0 in 2024, the CSF organizes resilience activities across 6 core functions: Govern, Identify, Protect, Detect, Respond, and Recover. The addition of the "Govern" function in CSF 2.0 elevated organizational risk management and supply chain oversight to the framework's structural core.

Beyond NIST CSF, the US framework landscape includes sector-specific mandates. The HIPAA Security Rule at 45 CFR §164.308(a)(7) requires covered entities and business associates to implement contingency plans for ePHI systems. The FFIEC IT Examination Handbook: Business Continuity Management sets resilience expectations for federally examined financial institutions. The Department of Defense operates under the Risk Management Framework (RMF) codified in NIST SP 800-37 Rev. 2, which mandates continuous authorization and resilience controls for federal information systems.

Internationally, ISO 22301:2019 (Business Continuity Management Systems) and ISO/IEC 27001:2022 (Information Security Management Systems) are both adopted by US organizations seeking global alignment or operating in multinational regulatory environments. The scope of "cyber resilience framework" in the US therefore spans voluntary guidance, statutory requirements, federal agency directives, and international standards — often applied in combination at a single organization.

Core mechanics or structure

Most US-recognized cyber resilience frameworks share a lifecycle structure organized around four to six functional phases. The NIST CSF 2.0 model provides the most widely adopted reference architecture:

  1. Govern — Establishes the organizational context, risk appetite, roles, policies, and supply chain risk management strategy that inform all other functions.
  2. Identify — Asset management, risk assessment, and business environment analysis to establish what must be protected and why.
  3. Protect — Implementation of safeguards: access controls, data security, platform security, and technology infrastructure resilience.
  4. Detect — Continuous monitoring, anomaly detection, and event analysis to identify cybersecurity incidents in real time or near-real time.
  5. Respond — Incident response planning, communications, analysis, mitigation, and improvement activities activated during an incident.
  6. Recover — Restoration of impaired services and capabilities, communication of recovery activities, and incorporation of lessons learned (NIST CSF 2.0).

The RMF, by contrast, uses a 7-step process: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor (NIST SP 800-37 Rev. 2). This process is mandatory for federal agencies and their contractors and ties security controls to a formal authorization decision (Authority to Operate, or ATO).

NIST SP 800-53 Rev. 5 provides the control catalog that populates the RMF — 20 control families covering areas from Access Control (AC) to System and Communications Protection (SC). The Contingency Planning (CP) family within SP 800-53 directly addresses cyber resilience through controls CP-1 through CP-13, specifying requirements for backup, system recovery, alternate processing sites, and testing.

For critical infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) maintains the Cross-Sector Cybersecurity Performance Goals (CPGs), which are a subset of NIST CSF practices prioritized for operational technology environments and critical infrastructure sectors.

Causal relationships or drivers

The proliferation of cyber resilience frameworks in the US has been driven by identifiable structural forces rather than gradual natural evolution.

Regulatory fragmentation across 16 critical infrastructure sectors — each governed by a separate sector risk management agency — has produced parallel frameworks. The energy sector follows NERC CIP standards; the financial sector follows FFIEC guidance and, for systemically important entities, Federal Reserve and OCC supervisory expectations; healthcare follows HIPAA and HHS guidance. This fragmentation incentivized NIST CSF as a cross-sector common baseline.

Federal contracting requirements drive RMF adoption. The Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) require contractors handling Controlled Unclassified Information (CUI) to implement NIST SP 800-171 controls — a direct derivative of SP 800-53 tailored for nonfederal systems.

Cyber insurance market dynamics have made framework alignment a practical financial requirement. Insurers increasingly require evidence of specific control implementation — often mapped to NIST CSF or CIS Controls — as a condition of coverage or premium calculation. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is adding mandatory reporting obligations that will reinforce framework adoption in covered sectors.

The continuity-providers resource catalogs service providers organized by their alignment to these regulatory and framework categories.

Classification boundaries

Cyber resilience frameworks in the US can be classified along three axes:

By authority type:
- Voluntary/guidance — NIST CSF, CIS Controls, CISA CPGs
- Mandatory for regulated sectors — HIPAA Security Rule, NERC CIP, FFIEC BCM Handbook, CMMC (for DoD contractors)
- Mandatory for federal agencies — RMF (NIST SP 800-37), FedRAMP (for cloud services), Federal Continuity Directive 1 (FCD-1) for COOP

By operational focus:
- Prevention and control — ISO/IEC 27001, NIST SP 800-53
- Risk management lifecycle — NIST RMF, NIST CSF
- Business continuity and recovery — ISO 22301, NIST SP 800-34, FFIEC BCM
- Operational technology/ICS — IEC 62443, NERC CIP

By scope of coverage:
- Technology systems only — RMF, FedRAMP
- Organization-wide — ISO 22301, NIST CSF 2.0 (with Govern function)
- Sector-specific — NERC CIP (electric), HIPAA (healthcare), FFIEC (financial)

These classification axes frequently overlap. A healthcare organization subject to HIPAA may voluntarily adopt NIST CSF as its overarching structure, using SP 800-53 control families to satisfy both CSF subcategories and HIPAA Security Rule implementation specifications simultaneously. The how-to-use-this-continuity-resource page addresses how the provider network organizes providers by these framework alignments.

Tradeoffs and tensions

Comprehensiveness versus implementability. NIST SP 800-53 Rev. 5 contains over 1,000 individual controls and control enhancements. Implementing the full catalog is neither practical nor intended for most organizations. The challenge is that selective implementation requires documented justification — a tailoring process — which itself demands expertise. Smaller organizations frequently lack the personnel to execute rigorous tailoring, leading to either under-implementation or checkbox compliance without operational effect.

Voluntary frameworks and enforcement gaps. NIST CSF is explicitly voluntary for private-sector organizations not subject to sector-specific mandates. This creates an asymmetry: well-resourced organizations adopt it as a genuine management tool, while organizations facing lower regulatory scrutiny may treat it as optional documentation rather than operational practice. CIRCIA's reporting requirements may narrow this gap, but mandatory adoption of specific controls remains absent at the federal cross-sector level.

Framework overlap and audit fatigue. An organization operating in both financial services and healthcare may face simultaneous FFIEC BCM, HIPAA Security Rule, and NIST CSF mapping requirements. Producing evidence of compliance across 3 or more frameworks for different regulators generates significant administrative burden, often diverting resources from actual resilience improvement toward documentation management.

Static standards versus dynamic threat environments. Framework publication cycles — ISO 27001 revisions, NIST CSF major updates — operate on multi-year timescales. Threat landscapes evolve faster. The 2022 update to ISO/IEC 27001 added 11 new controls, including threat intelligence and cloud security, but the gap between framework publication and organizational adoption can span 2 to 4 years.

Quantitative versus qualitative maturity assessment. Maturity models like the Cybersecurity Capability Maturity Model (C2M2), maintained by the Department of Energy, provide numerical maturity levels (0–3) for each practice domain. However, high maturity scores on paper do not necessarily correlate with operational resilience — a tension that auditors and framework designers acknowledge but have not fully resolved.

Common misconceptions

"NIST CSF compliance means NIST SP 800-53 compliance."
These are structurally distinct documents. NIST CSF is an outcomes-based framework describing what functions resilient organizations perform. SP 800-53 is a control catalog describing how those outcomes are achieved through specific technical and procedural controls. Mapping exists between them, but satisfying one does not automatically satisfy the other (NIST CSF 2.0 reference tool).

"ISO 27001 certification satisfies HIPAA requirements."
ISO 27001 certification demonstrates a functioning information security management system but does not map directly to HIPAA's specific administrative, physical, and technical safeguard requirements. HHS Office for Civil Rights has not recognized ISO 27001 as a safe harbor or equivalent compliance standard.

"Frameworks are only relevant to large enterprises."
CISA's Cross-Sector Cybersecurity Performance Goals were explicitly designed to be achievable by small and medium-sized organizations. The 2022 CPG document identifies a prioritized subset of 37 practices from NIST CSF specifically scoped for organizations with limited cybersecurity resources (CISA CPGs).

"Adopting a framework guarantees resilience."
Framework adoption is a governance and documentation activity. Operational resilience depends on tested, practiced, and updated plans — not on the existence of a policy document. NIST SP 800-34 Rev. 1 requires contingency plan testing at defined intervals, distinguishing between plan documentation and demonstrated recovery capability.

"The Recover function in NIST CSF is the same as disaster recovery."
The CSF Recover function addresses restoration of impaired capabilities and services and incorporates lessons learned into future planning. Technical disaster recovery — including RTO/RPO targets, backup architecture, and failover procedures — falls primarily within NIST SP 800-34 and the CP control family of SP 800-53, not the CSF alone.

Checklist or steps (non-advisory)

The following sequence reflects the standard framework adoption process as described across NIST SP 800-37, NIST CSF, and CISA guidance:

  1. Scope definition — Identify the organizational systems, data types, and business functions subject to the framework. Reference FIPS 199 categories for federal systems or applicable sector definitions for regulated industries.
  2. Current state assessment — Conduct a gap analysis mapping existing controls to the selected framework's requirements. Document implemented, partially implemented, planned, and not applicable controls.
  3. Risk assessment — Execute a formal risk assessment per NIST SP 800-30 Rev. 1 or equivalent methodology, identifying threats, vulnerabilities, likelihoods, and impacts specific to the organization's environment.
  4. Target profile development — Define the desired framework maturity or compliance state based on risk tolerance, regulatory requirements, and resource constraints.
  5. Control selection and tailoring — Select controls or practices from the applicable framework catalog. For SP 800-53 users, document tailoring decisions with justifications in a System Security Plan (SSP).
  6. Implementation — Deploy selected controls across technical, administrative, and physical domains. Assign control ownership and document implementation status.
  7. Assessment and testing — Test contingency plans, incident response procedures, and recovery capabilities. NIST SP 800-34 recommends tabletop exercises, functional exercises, and full-scale tests at differentiated frequency intervals.
  8. Authorization or attestation — For federal systems, obtain Authority to Operate (ATO) through the RMF process. For regulated private-sector entities, document compliance posture for regulatory examination.
  9. Continuous monitoring — Implement ongoing monitoring per SP 800-137 or equivalent, feeding results into plan updates and risk reassessment cycles.
  10. Plan maintenance — Review and update framework alignment annually or following significant organizational, technological, or threat environment changes.

The resource documents how service providers within this network are categorized by their framework specialization.

Reference table or matrix

Framework Issuing Body Authority Type Primary Scope Sector Applicability Recovery Focus
NIST Cybersecurity Framework (CSF) 2.0 NIST Voluntary (federal guidance) Organization-wide cyber risk Cross-sector Recover function (RC)
NIST SP 800-53 Rev. 5 NIST Mandatory (federal agencies); voluntary (private) Information system controls Federal / contractors CP family (CP-1–CP-13)
NIST SP 800-37 Rev. 2 (RMF) NIST Mandatory (federal agencies) System authorization lifecycle Federal / DoD contractors Continuous monitoring
NIST SP 800-34 Rev. 1 NIST Federal guidance Contingency planning Federal agencies Explicit DR/BCP/COOP
NIST SP 800-171 Rev. 3 NIST Mandatory (CUI handlers) Nonfederal system security DoD supply chain Incident response
ISO 22301:2019 ISO Voluntary / contractual Business continuity management Cross-sector, international BCM lifecycle
ISO/IEC 27001:2022 ISO/IEC Voluntary / certification Information security management Cross-sector, international Annex A controls
HIPAA Security Rule (45
📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Continuity Listings ANA › Professional Services Authority › Continuity Authority › Continuity Providers Continuity Providers The continuity... NIST Cybersecurity Framework and Business Continuity ANA › Professional Services Authority › National Cyber Authority › Continuity Authority NIST Cybersecurity Framework and... Continuity of Operations Plans (COOP) in Cybersecurity Contexts ANA › Professional Services Authority › Continuity Authority › Continuity of Operations Plans (COOP) in Cybersecurity Contexts...