https://www.nist.gov/cyberframework
As a part of the national and economic security of the U.S., especially with the focus on critical infrastructure, the President issued an executive order in February 2013 to NIST, to develop a framework based on existing standards, guidelines, and practices to reduce cyber risks to critical infrastructure. The NIST Cyber Security framework was developed as a collaboration between industry and government and the first version of the Framework was released in February 2014, as a voluntary guidance for organizations to manage and reduce cybersecurity risk. With the further improvements, Version 1.1 of the Framework was released in April 2018.
The Cybersecurity Framework consists of three main components:
- The Core
- Implementation Tiers
- Profiles
Figure 1: Structure of the Framework Core
Framework Core
The Framework Core is a set of activities that can be followed to achieve specific cybersecurity objectives, and the required guidance is provided as a set of references examples. It is important to note that the Core cannot be considered as a checklist of actions that has to be performed by the organization, instead, it includes key cybersecurity objectives that have been identified by stakeholders which can be helpful when managing cybersecurity risk.
As shown in the Figure 1, the Framework Core comprises four elements: Functions, Categories, Subcategories, and Informative References. When considered together, the Functions provide a high-level, strategic view of an organizations' cybersecurity risk management life cycle. The Framework Core then identifies respective key Categories and Subcategories, which are discrete results of each Function, and binds them with related Informative References such as existing standards, guidelines, and practices.
The Framework Core elements operate collaboratively as follows:
- Functions: Define the cybersecurity activities by categorizing them as five concurrent and continuous functions, namely, Identify, Protect, Detect, Respond, and Recover. Functions provide a high-level, strategic view of an organizations' cybersecurity risk management life cycle. The Functions element help the organization to gather information, to make risk management decisions, to mitigate risks and to improve the cyber security strategies.
- Categories: The subdivisions of a Function into groups of cybersecurity outcomes, closely tied to programmatic requirements and specific activities.
- Subcategories: The further division of a Category into specific outcomes of technical and/or management activities. They provide a set of results that, while not exhaustive, help to achieve outcomes in each Category.
- Informative References: Specific sections of standards, guidelines, and practices focused on critical infrastructure sectors that guide to achieve the outcomes associated with each Subcategory.
Figure 2: Framework Core Example
The Figure 2 shows how the Framework Core elements operate collaboratively. One of the Categories of Function "Identity" is, "Supply Chain Risk Management", and it can be further divided into Subcategories of "ID.SC-1", "ID.SC-2", "ID.SC-3" and etc. Also for each Subcategory, a list of references such as Center for Internet Security (CIS) Critical Security Controls (CSC), COBIT 5 and International Society of Automation (ISA) are provided.
The five Framework Core Functions are not intended to be formed sequentially, instead the Functions should be performed concurrently and continuously to maintain an updated and dynamic cybersecurity risk management approach.
- Identify: Understand the cybersecurity risks to organizations' systems, people, assets, data, and capabilities. The activities in the Identify Function are crucial for the effective usage of the Framework, as it identifies vulnerabilities of the organization. Once the business context, the resources that process critical functions, and the relevant cybersecurity risks are identified, the organization can prioritize its efforts and focus better on its risk management strategies and business requirements. The Categories of Function "Identity" includes Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy and Supply Chain Risk Management.
- Protect: Develop and implement relevant countermeasures and mitigation strategies to ensure critical services delivery. The objective of Protect Function is to limit or contain the negative impacts of a potential cybersecurity rick. The Categories of Function "Protect" includes Identity Management, Authentication and Access Control, Awareness and Training, Data Security, Info Protection and Procedures, Maintenance and Protective Technology.
- Detect: Develop and implement relevant activities to identify the occurrence of a cybersecurity event in a timely manner. The Detect function can incorporates cutting-edge cybersecurity technologies such as Intrusion Detection Systems and Firewalls to identify most recent threats. The Categories of Function "Detect" includes Anomalies and Events, Security Continuous Monitoring and Detection Process.
- Respond: Develop and implement relevant activities to countermeasure a detected cybersecurity incident. The objective of Respond Function is to contain the negative impact of a potential cybersecurity incident. The Categories of Function "Respond" includes Response Planning, Communications, Analysis, Mitigation and Improvements.
- Recover: Develop and implement relevant activities to maintain plans for resilience and to restore capabilities and services that were disturbed by the cybersecurity incident. The objectives of Recover Function is to recover timely to normal operations and to reduce the negative impact after a cybersecurity event. The Categories of Function "Recover" includes Response Planning, Improvements, and Communications.
Framework Implementation Tiers
The Framework Tiers represents the level to which an organization has adopted to as per the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). Therefore, the Tiers provide an overview of the organization's focus on cybersecurity risk management. The Tiers spread over a range, from Partial (Tier 1) to Adaptive (Tier 4) and they reflect a progressive cybersecurity risk management implementation from informal, reactive responses to agile and risk-informed practices.
The Tier definitions are as follows:
- Tier 1 (Partial): The organization's cybersecurity risk management practices are ad-hoc as they are not formalized or prioritized. Also, there is no adequate awareness of cybersecurity risk at the organizational level. The organization is not collaboratively engaging with its stakeholders for the risk management process.
- Tier 2 (Risk Informed): Organization have approved risk management practices, but they are not established as policies or procedures. Also, there is an awareness of cybersecurity risk at the organizational level, but the cybersecurity risk management approach is not established. The organization identifies the stakeholders and ecosystem, but only either its own dependencies or dependents, but not both. Furthermore, the organization is aware of the cyber supply chain risks, but does not take any measures to mitigate the supply chain risks.
- Tier 3 (Repeatable): The organization’s risk management practices are formally approved, presented as policies and updated regularly. Also there is an adequate level of awareness on risk management organization-wide, where the organization consistently monitors cybersecurity risk of organizational assets. The organization is aware of its role, dependencies, and dependents in the ecosystem and collorate with stakeholders actively. Furthermore, the organization is aware of the cyber supply chain risks and generally takes measures to mitigate the supply chain risks.
- Tier 4 (Adaptive): The organization’s risk management practices are adoptive considering previous and current cybersecurity activities, such as past incidents and predictions. The process incorporates advanced and recent cybersecurity technologies and practices. Also there is a high level of awareness on risk management organization-wide and its highly considered in the organization's budget. The organization is aware of its role, dependencies, and dependents in the ecosystem and collorate with stakeholders actively. Furthermore, the organization is fully aware of the cyber supply chain risks and continuously actively takes measures to mitigate the supply chain risks.
Framework Profile
The Framework Profile is the adoption of the Functions, Categories, and Subcategories of the Framework, compliance with the business requirements, risk management strategies, and resources of the organization. The Framework Profile can be used to analyze opportunities available to improve the cybersecurity strategy of an organization by comparing the “Current” Profile that describes the “as is” state, with a “Target” Profile that describes the “to be” state.
