The NIST Cybersecurity Framework is a cybersecurity risk management program developed with a focus on industries necessary to national and economic security, such as the energy, banking, communications, and defense sectors. Due to its flexibility, however, both small and large companies have adopted the Framework across every industry sector, including federal, state and local governments.
Most recently, the Framework has been updated to version 1.1. I’ll be diving into the changes found in the new version later in a separate blog but, first, let’s cover the basics of the Framework itself.
The Framework is divided into three primary components used to develop a holistic cybersecurity program:
- Framework Core – Cybersecurity activities and information references, organized around particular outcomes. These enable the clear communication of cyber risk across an organization.
- Framework Implementation Tiers – Describes how cybersecurity risk is managed by an organization and the degree to which the risk management practices exhibit key characteristics.
- Framework Profile – Aligns industry standards and best practices to the Framework Core in an implementation scenario. Supports prioritization and measurement while factoring in business needs.
The Core is a set of desired cybersecurity activities and outcomes organized by Categories and aligned to Informative References. The Framework Core is designed to be intuitive and to act as a translation layer to enable communication between teams by using simple, non-technical language. The Core consists of three parts: Functions, Categories, and Subcategories.
The Core includes five high-level functions:
These 5 functions are not only applicable to cybersecurity risk management but also to risk management as a whole. Under the 5 Functions are 23 Categories, including but not limited to Asset Management, Business Environment, Protective Technology, Anomalies and Events, Security Continuous Monitoring, and more.
Each category features subcategories similar to controls, with Informative References to other security frameworks (e.g. COBIT, ISO/IEC 27001, etc.).
Tiers are the second component of the Framework and describe the extent to which a company’s cybersecurity risk management practices exhibit the characteristics defined in the Framework.
Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of intensity, how well-integrated cybersecurity risk decisions are into broader risk decisions, and the degree to which the organization shares and receives cybersecurity information from external parties.
The Risk Management Process is defined as the functionality and repeatability of cybersecurity risk management.
The Integrated Risk Management Program is the extent to which cybersecurity is considered in broader risk management decisions.
External Participation is the degree to which the organization benefits from sharing or receiving information from outside parties. In other words, deciding how and how much information should be shared outside of the organization to receive benefits without increasing your company’s attack surface.
Profiles are focused on honing the Framework to best serve the company.
One way of approaching profiles is for an organization to great a ‘gap analysis’ of their cybersecurity requirements, mission objectives, and operating methodologies, along with current practices against the subcategories of the Framework Core to create their Profile. These requirements and objectives can then be compared against the current state of the company to gain an understanding of where and how to fill those gaps.
Profiles are ultimately a decision support tool for cybersecurity risk management and represent a fusion of business and company mission logic with cybersecurity outcomes.
The Framework is a powerful tool that can allow you to create or improve your cybersecurity risk management program. Remember, the Framework was created to primarily help build resilience against cybersecurity risks that compromise business objectives, not as a project to leave your IT department to handle alone.