Cyber Resilience Frameworks Used in the US
Cyber resilience frameworks establish the structured methodologies by which US organizations design, assess, and maintain their capacity to anticipate, withstand, recover from, and adapt to cyber threats. This page catalogs the major frameworks operating across federal, critical infrastructure, and private-sector contexts, maps their structural components, identifies regulatory connections, and clarifies how these frameworks relate to each other and to business continuity and cybersecurity planning. Understanding which frameworks apply to which sectors—and where obligations are mandatory versus voluntary—is a prerequisite for accurate capability assessments.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
Cyber resilience, as distinguished from cybersecurity, encompasses the capacity of an organization to continue delivering intended outcomes despite adverse cyber events. The distinction is operationally significant: cybersecurity focuses on preventing and detecting intrusions; cyber resilience includes continuity, recovery, and adaptive capacity when prevention fails.
The National Institute of Standards and Technology (NIST) defines cyber resiliency in SP 800-160 Volume 2 Rev 1 as "the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources." That four-part structure—anticipate, withstand, recover, adapt—underpins the design logic of most US frameworks.
In scope for this reference are frameworks applicable across US federal agencies, critical infrastructure sectors, financial institutions, healthcare entities, and private-sector operators. Frameworks range from voluntary guidance (the NIST Cybersecurity Framework) to sector-specific regulatory requirements (NERC CIP for electric utilities, HIPAA Security Rule for covered entities) to classified standards governing federal systems (FISMA-mandated NIST SP 800-53). Detailed coverage of individual framework intersections with continuity planning is available through NIST Cybersecurity Framework and continuity and regulatory requirements for cyber continuity.
Core mechanics or structure
NIST Cybersecurity Framework (CSF)
Originally released in 2014 under Executive Order 13636 and updated to CSF 2.0 in February 2024 (NIST CSF 2.0), the framework organizes cybersecurity activities into six Functions: Govern, Identify, Protect, Detect, Respond, and Recover. CSF 2.0 introduced "Govern" as a top-level function, elevating organizational context, roles, policies, and supply chain risk management. Each Function subdivides into Categories and Subcategories mapped to informative references from ISO/IEC 27001, COBIT, CIS Controls, and NIST SP 800-53.
NIST SP 800-53
NIST SP 800-53 Rev 5 provides a catalog of 1,189 security and privacy controls organized into 20 control families. Federal agencies under FISMA (44 U.S.C. § 3551 et seq.) are required to implement controls calibrated to system impact levels (Low, Moderate, High) as determined by FIPS 199 and FIPS 200. Contingency planning, incident response, and system and communications protection are dedicated control families directly addressing resilience continuity.
NIST SP 800-160 Volume 2
This publication provides cyber resiliency engineering guidance, defining 14 cyber resiliency techniques (including adaptive response, analytic monitoring, coordinated protection, and substantiated integrity) and mapping them to threat categories and risk management processes. It is most applicable to high-value assets and critical systems.
NERC CIP Standards
The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards are mandatory reliability standards for bulk electric system owners and operators under Federal Energy Regulatory Commission (FERC) jurisdiction. CIP-009 specifically addresses Recovery Plans for BES Cyber Systems, requiring documented and tested recovery procedures.
CISA Cross-Sector Cybersecurity Performance Goals (CPGs)
Released by the Cybersecurity and Infrastructure Security Agency (CISA) in 2022, the CPGs are a prioritized baseline of cybersecurity practices applicable across all 16 critical infrastructure sectors. They are voluntary for most entities but form baseline expectations in sector risk management agency guidance.
Causal relationships or drivers
Three regulatory and threat-environment dynamics drive framework adoption patterns across US sectors:
Federal mandate pressure. FISMA requires federal agencies to implement risk management programs consistent with NIST standards. The Office of Management and Budget (OMB) Memorandum M-22-09 (January 2022) mandated zero trust architecture adoption across civilian federal agencies, creating demand for frameworks that integrate identity and access management with resilience planning. Zero trust architecture and continuity planning documents this intersection in detail.
Sector-specific regulatory requirements. The financial sector operates under FFIEC IT Examination Handbooks, OCC guidelines, and the DORA-aligned requirements now influencing US multinational institutions. Healthcare covered entities face HIPAA Security Rule mandates under 45 CFR Part 164. These sector obligations create compliance floors that generic frameworks do not fulfill independently.
Insurance market pressure. Cyber insurers increasingly require evidence of framework alignment before underwriting or pricing policies. The alignment between framework maturity and cyber insurance and continuity planning has made frameworks a de facto underwriting criterion.
Classification boundaries
Frameworks divide along three axes: mandatory vs. voluntary, sector-specific vs. cross-sector, and risk management vs. engineering.
| Axis | Category A | Category B |
|---|---|---|
| Legal obligation | Mandatory (FISMA, NERC CIP, HIPAA) | Voluntary (NIST CSF, CISA CPGs) |
| Sector scope | Sector-specific (NERC CIP, FFIEC) | Cross-sector (NIST CSF, SP 800-53) |
| Orientation | Risk management (CSF, SP 800-37) | Engineering/architecture (SP 800-160 v2, SP 800-207) |
A fourth classification axis applies to federal vs. private-sector contexts: SP 800-53 controls are required for federal information systems but optional (though widely referenced) for private entities. The Federal Agency Cyber Continuity Standards page details the federal-specific obligation stack.
Tradeoffs and tensions
Comprehensiveness vs. operability. SP 800-53 Rev 5's 1,189 controls represent comprehensive coverage but impose significant implementation overhead. Smaller organizations frequently implement only the CSF, which provides directional guidance without prescriptive control specificity. The tradeoff is reduced assurance depth in exchange for feasible adoption.
Voluntary adoption gaps. The NIST CSF, despite widespread recognition, carries no legal enforcement mechanism for private-sector entities outside of sector-specific regulatory requirements. Organizations in sectors without mandatory cyber requirements (e.g., certain manufacturing subsectors) can claim CSF alignment without external verification, creating measurement inconsistency.
Framework proliferation and mapping burden. US organizations subject to multiple overlapping requirements (e.g., a financial services firm with federal contracts) must map controls across NIST SP 800-53, FFIEC, FedRAMP, and PCI DSS simultaneously. The NIST National Online Informative References (OLIR) program exists specifically to manage cross-framework mapping, but maintaining currency across framework revisions imposes ongoing administrative cost.
Recovery objectives vs. engineering posture. Frameworks like the CSF address recovery at a functional level ("Recover" function), but do not specify recovery time objectives or recovery point objectives for systems. Those metrics require additional operational planning that frameworks describe but do not prescribe.
Common misconceptions
Misconception 1: NIST CSF compliance equals NIST SP 800-53 compliance.
The CSF is an organizing structure that references SP 800-53 as an informative source. Implementing the CSF Functions does not constitute SP 800-53 control implementation. Federal agencies and FedRAMP-authorized cloud providers must satisfy SP 800-53 control baselines regardless of CSF alignment.
Misconception 2: Frameworks are static certification programs.
No US framework described here issues certifications in the manner of ISO/IEC 27001. NIST does not certify CSF compliance. Framework "alignment" is self-assessed or third-party audited, not issued by the standards body. The exception is FedRAMP, which operates a formal authorization process, and NERC CIP, which involves FERC-overseen compliance audits.
Misconception 3: Voluntary frameworks carry no regulatory consequence.
CISA CPGs and the NIST CSF, while voluntary, are referenced in sector risk management agency guidance, federal procurement requirements, and cyber insurance standards. Failure to adopt recognized frameworks can constitute a factor in negligence determinations and regulatory enforcement actions in sectors where baseline security practices are defined by reference to published standards.
Misconception 4: Cyber resilience frameworks cover physical continuity.
NIST SP 800-160 v2 and the CSF address cyber system resilience. Physical infrastructure continuity—facilities, personnel continuity, supply chain physical disruption—falls under NIST SP 800-34 (Contingency Planning Guide) and COOP frameworks from FEMA, not cyber resilience frameworks per se.
Checklist or steps (non-advisory)
The following sequence describes standard framework adoption phases as documented in NIST guidance and CISA implementation resources:
- Scope definition — Identify organizational systems, assets, and data in scope; define system boundaries per NIST SP 800-18.
- Current profile development — Document existing cybersecurity activities mapped to relevant framework categories (CSF Categories or SP 800-53 control families).
- Risk assessment — Conduct threat and vulnerability assessment per NIST SP 800-30 to establish risk context.
- Target profile development — Define desired future state based on regulatory requirements, risk tolerance, and sector baseline expectations.
- Gap analysis — Compare current and target profiles; identify control gaps and resource requirements.
- Implementation prioritization — Sequence gap remediation based on risk priority, using CISA CPG prioritization where applicable.
- Implementation and integration — Deploy controls, update policies, configure systems; integrate continuity elements including incident response plans per NIST SP 800-61.
- Assessment and authorization — Conduct control assessments per NIST SP 800-53A; obtain authorization to operate (ATO) for federal systems per RMF.
- Continuous monitoring — Implement ongoing monitoring per NIST SP 800-137; update profiles as threat landscape and regulatory requirements evolve.
- Tabletop and functional exercises — Validate framework implementation through structured tabletop exercises and incident response continuity drills.
Reference table or matrix
| Framework | Issuing Body | Mandatory Scope | Sector | Primary Resilience Dimension |
|---|---|---|---|---|
| NIST CSF 2.0 | NIST | Voluntary (private); referenced in federal procurement | Cross-sector | Risk management lifecycle |
| NIST SP 800-53 Rev 5 | NIST | Mandatory (federal agencies, FISMA) | Federal / FedRAMP | Control implementation |
| NIST SP 800-160 v2 | NIST | Voluntary | High-value/critical systems | Engineering resilience |
| NIST SP 800-34 Rev 1 | NIST | Federal guidance | Federal | IT contingency planning |
| NIST SP 800-61 Rev 2 | NIST | Federal guidance | Federal / broad private use | Incident response |
| NERC CIP Standards | NERC / FERC | Mandatory (bulk electric system) | Energy / Electric | Operational technology protection |
| HIPAA Security Rule | HHS / OCR | Mandatory (covered entities) | Healthcare | Administrative, physical, technical safeguards |
| FFIEC IT Examination Handbook | FFIEC | Mandatory (examined institutions) | Financial services | Risk management, business continuity |
| CISA Cross-Sector CPGs | CISA | Voluntary | All 16 critical infrastructure sectors | Baseline practice prioritization |
| NIST SP 800-207 | NIST | Voluntary / referenced in OMB M-22-09 | Federal and private | Zero trust architecture |
| FedRAMP Authorization Framework | GSA / CISA / DoD | Mandatory (cloud services to federal agencies) | Cloud / Federal | Cloud security authorization |
References
- NIST Cybersecurity Framework (CSF) 2.0 — National Institute of Standards and Technology
- NIST SP 800-53 Rev 5: Security and Privacy Controls for Information Systems and Organizations — NIST Computer Security Resource Center
- NIST SP 800-160 Vol 2 Rev 1: Developing Cyber-Resilient Systems — NIST CSRC
- NIST SP 800-30 Rev 1: Guide for Conducting Risk Assessments — NIST CSRC
- NIST SP 800-34 Rev 1: Contingency Planning Guide for Federal Information Systems — NIST CSRC
- NIST SP 800-61 Rev 2: Computer Security Incident Handling Guide — NIST CSRC
- NIST SP 800-137: Information Security Continuous Monitoring — NIST CSRC
- NIST SP 800-207: Zero Trust Architecture — NIST CSRC
- NIST OLIR Program (Online Informative References) — NIST CSRC
- NERC CIP Standards — North American Electric Reliability Corporation
- CISA Cross-Sector Cybersecurity Performance Goals — Cybersecurity and Infrastructure Security Agency
- OMB Memorandum M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles — Office of Management and Budget
- HIPAA Security Rule, 45 CFR Part 164 — Electronic Code of Federal Regulations
- [FISMA: Federal Information Security Modernization Act, 44 U.S.C