Post

NIST Cybersecurity Framework (CSF) - Overview

Posted
By Erich Mair 7 min read

Summary

The NIST Cybersecurity Framework (CSF) is used to help an organization improve their cybersecurity program & posture. It focuses on using business drivers to guide cybersecurity activities and considering InfoSec risks as part of the organization’s risk management plan.

The CSF offers a flexible way to address cybersecurity, including cybersecurity’s effect on physical, cyber, and people dimensions.

Structure

The NIST CSF consists of three parts:

A. Framework Core - 5 different functions (ID, PR, DE, RS, RC), and 22 total categories.

B. Implementation Tiers

C. Framework Profiles

A. Framework Core

The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across sectors and critical infrastructure. Elements of the Core provide detailed guidance for developing individual organizational Profiles. The Framework Core elements work together as follows:

  • Functions organize basic cybersecurity activities at their highest level. These five Functions are Identify, Protect, Detect, Respond, and Recover:
    1. Identify (ID) — Develop an organizational understanding to manage cybersecurity risk to: systems, assets, data, and capabilities.
    2. Protect (PR) — Develop and implement the appropriate safeguards to ensure delivery of services.
    3. Detect (DE) — Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
    4. Respond (RS) — Develop and implement the appropriate activities to take action regarding a detected cybersecurity event
    5. Recover (RC) — Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

    Together, these five functions provide a comprehensive perspective on managing cybersecurity risk over time.

  • Categories are the subdivisions of a Function into groups of cybersecurity outcomes, closely tied to programmatic needs and particular activities (ex. “Asset Management,” “Identity and Access Management,” “Detection Processes,” etc.). There are 22 total categories.
  • Subcategories divides a Category into specific outcomes of technical and/or management activities.
  • Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory.

B. Implementation Tiers

The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk, which will help in prioritizing and achieving cybersecurity objectives. The tiers range from Tier 1 to Tier 4:

Tier 1 (Partial):

  • Risk Management Process – Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner.
  • Integrated Risk Management Program – There is limited awareness of cybersecurity risk at the organizational level. The organization implements cybersecurity risk management on a case-by-case basis.
  • External Participation – The organization does not understand its role in the larger ecosystem with respect to either its dependencies or dependents. The organization does not collaborate with or receive information (e.g., threat intelligence, best practices, technologies) from other entities, nor does it share information.

Tier 2 (Risk Informed):

  • Risk Management Process – Risk management practices are approved by management but may not be established as organizational-wide policy. Prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
  • Integrated Risk Management Program – There is an awareness of cybersecurity risk at the organizational level, but an organization-wide approach to managing cybersecurity risk has not been established.
  • External Participation – Generally, the organization understands its role in the larger ecosystem with respect to either its own dependencies or dependents, but not both. Additionally, the organization is aware of the cyber supply chain risks associated with the products and services it provides and uses, but does not act consistently or formally upon those risks.

Tier 3 (Repeatable):

  • Risk Management Process – The organization’s risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
  • Integrated Risk Management Program – There is an organization-wide approach to manage cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Senior executives ensure consideration of cybersecurity through all lines of operation in the organization
  • External Participation – The organization understands its role, dependencies, and dependents in the larger ecosystem and may contribute to the community’s broader understanding of risks. It collaborates with and receives information from other entities regularly that complements internally generated information, and shares information with other entities. The organization is aware of the associated cyber supply chain risks.

Tier 4 (Adaptive):

  • Risk Management Process – The organization adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing threat and technology landscape and responds in a timely and effective manner to evolving, sophisticated threats.
  • Integrated Risk Management Program – There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. The relationship between cybersecurity risk and organizational objectives is clearly understood and considered when making decisions. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities and continuous awareness of activities on their systems and networks.
  • External Participation – The organization understands its role, dependencies, and dependents in the larger ecosystem and contributes to the community’s broader understanding of risks. It receives, generates, and reviews prioritized information that informs continuous analysis of its risks as the threat and technology landscapes evolve. The organization shares that information internally and externally with other collaborators. The organization uses real-time information to understand cyber supply chain risks.

Tiers describe an increasing degree of rigor and sophistication in cybersecurity risk management practices. While organizations identified as Tier 1 (Partial) are encouraged to consider moving toward Tier 2 or greater, Tiers do not represent maturity levels. Tiers are meant to support organizational decision making about how to manage cybersecurity risk, as well as which dimensions of the organization are higher priority and could receive additional resources. Progression to higher Tiers is encouraged when a cost-benefit analysis indicates a feasible and cost-effective reduction of cybersecurity risk.

C. Framework Profiles

Through use of Profiles, the Framework will help an organization to align and prioritize its cybersecurity activities with its business/mission requirements, risk tolerances, and resources.

  • The Framework Profile (“Profile”) is the alignment of the Functions, Categories, and Subcategories with the business requirements, risk tolerance, and resources of the organization.

A Profile enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities. Given the complexity of many organizations, they may choose to have multiple profiles, aligned with particular components and recognizing their individual needs.

Framework Profiles can be used to describe the current state or the desired target state of specific cybersecurity activities.

  • The Current Profile indicates the cybersecurity outcomes that are currently being achieved.
  • The Target Profile indicates the outcomes needed to achieve the desired cybersecurity risk management goals.

Comparison of Profiles (e.g., the Current Profile and Target Profile) may reveal gaps to be addressed to meet cybersecurity risk management objectives.

  • An action plan to address these gaps to fulfill a given Category or Subcategory can contribute to the roadmap described above.

Steps for using the Framework (to establish or improve a cybersecurity program)

The following steps illustrate how an organization could use the Framework to create a new cybersecurity program or improve an existing program:

  1. Prioritize and Scope (objectives, priorities, systems, and assets)
  2. Orient (identify threats and vulnerabilities)
  3. Create a Current Profile
  4. Conduct a Risk Assessment
  5. Create a Target Profile
  6. Determine, Analyze, and Prioritize Gaps
  7. Implement Action Plan

These steps should be repeated as necessary to continuously improve cybersecurity.

Source: https://www.nist.gov/cyberframework

Security Frameworks, Defensive Frameworks
Security Frameworks
This post is licensed under CC BY 4.0 by the author.