What is the NIST Cybersecurity Framework?

The Framework for Improving Critical Infrastructure Cybersecurity, better known as the NIST Cybersecurity Framework, was initially issued in the United States in February 2014. The current version is 1.1, released in April 2018.

The framework’s guidance is to help companies of all sizes understand, manage, and reduce cyber risks and protect their networks and data, providing a common language and a summary of best practices in cybersecurity.

Applicability: The framework is applicable to organizations that rely on technology, whether their cybersecurity focus is primarily on information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), or connected devices in general, including the Internet of Things (IoT).

Structure: The Framework consists of three parts: the Framework Core, the Implementation Tiers, and the Framework Profiles.

The Framework Core is a set of cybersecurity functions and activities, expected outcomes, and informative references that are common across all sectors and critical infrastructure. The Framework Core consists of five concurrent and continuous Functions: Identify, Protect, Detect, Respond, and Recover. When considered together, these Functions provide a high-level strategic view of the lifecycle of an organization’s cybersecurity risk management process. Each Function is composed of categories, each category is further divided into subcategories, and each subcategory is accompanied by normative references to other frameworks or standards (ISO 27001, CobiT 5, NIST SP-83, ISA62443, among others) in which a greater level of detail can be found for the implementation of the referred cybersecurity controls.

Each Function with its respective categories is shown below:

The NIST Implementation Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk, which will help prioritize and achieve cybersecurity objectives. The framework considers 4 levels from the weakest to the most robust: Partial, Risk Informed, Repeatable, and Adaptive.

The level is determined based on 3 attributes (Risk management process, risk management integration, and external participation) and the characteristics of each of them that can be seen in the following image:

Finally, the Profile represents the outcomes that are based on the business needs that an organization has selected from the Framework’s categories and subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices with the Framework Core in a particular implementation scenario.

In a more colloquial way, it can be said that the Profile is a “photo” in time that shows the current state (or the desired state level) of cybersecurity in an organization or business unit. The difference between the current state profile and the desired state profile will allow building a prioritized roadmap for implementation.

1. Prioritization and Scope. The organization identifies its business or mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process.
2. Orientation. The organization identifies related systems and assets, regulatory requirements, and the overall risk approach. The organization then consults sources to identify threats and vulnerabilities applicable to those systems and assets.
3. Current Profile. The organization develops a Current Profile indicating which Framework Core category and subcategory outcomes are currently being achieved. If an outcome is partially achieved, noting this fact will help support subsequent steps by providing baseline information.
4. Risk assessment. This assessment may be guided by the organization’s overall risk management process or prior risk assessment activities. The organization analyzes the operating environment to discern the likelihood of a cybersecurity event and the impact the event could have on the organization. It is important that organizations identify emerging risks and use cybersecurity threat information from internal and external sources to gain a better understanding of the risk associated with cybersecurity events.
5. Desired Profile. The organization creates a Target Profile that focuses on assessing the Framework Categories and Subcategories that describe the organization’s desired cybersecurity outcomes. The organization may also consider the influences and requirements of external stakeholders, such as industry entities, customers, and business partners, when creating a desired Profile.
6. Determine, analyze, and prioritize gaps. The organization compares the Current Profile and the Desired Profile to determine the gaps. It then creates a prioritized action plan to address the gaps (reflecting the drivers, costs and benefits, and mission risks) to achieve the outcomes in the Target Profile. The organization then determines the resources needed to address the gaps, including funding and workforce. Using Profiles in this way encourages the organization to make informed decisions about cybersecurity activities, supports risk management, and enables the organization to make targeted and cost-effective improvements.
7. Implement action plan. The organization determines what actions to take to address the gaps, if any, identified in the previous step and then adjusts its current cybersecurity practices to achieve the Target Profile. To provide more direction, the Framework identifies examples of informative references on the Categories and Subcategories, but organizations should determine which standards, guidelines, and practices, including those that are industry-specific, work best for their needs.

From GlobalSUITE Solutions, through our GlobalSuite Information Security tool, we support the start-up and implementation of the NIST CSF framework for clients interested in its implementation.