The NIST Cyber Security Framework proves guidance for organizations looking to assess and improve their ability to prevent, detect and respond to cyber attacks. It is composed of three basic parts, the Core Functions, Implementation Tiers and Profiles. The Core aids communication of cybersecurity activities, and outcomes by defining these things and providing informational resources. The Implementation Tier contextualizes how an organization approaches risk management. Finally, the Profile represents the outcomes that the organization chose to focus on, based on it’s business needs. In other words, the profile is the alignment of standards, guidelines and practices to the framework core given a particular implementation scenario.
The following brief overview summarizes these three framework components and explains how they relate to each other. The framework provides a great deal of flexibility and descriptive power making it a useful tool for most, if not all, organizations looking to improve their security posture. For more detail, one can visit http://www.nist.gov or read the document Framework for Improving Critical Infrastructure Cybersecurity version 1.1.
The five functions (identify, protect, detect, respond, and recover) contain 23 categories representing cybersecurity outcomes, which are further broken into 108 subcategories representing activities or controls. Each of the subcategories contain informative resources typically referencing other cybersecurity standards such as COBIT and ISO 27001.
“Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.” -NIST 1.1
The Identity function activities generate the foundational knowledge required to best use the framework . An understanding of which resources support mission critical activities is crucial to balancing risk management strategies, business needs and security priorities. Outcomes include, Asset Management, Risk Assessment, Business Environment.
“Develop and implement appropriate safeguards to ensure delivery of critical services.” -NIST 1.1
Category Examples: Awareness and Training; Data Security; Maintenance; Protective Technology
“Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.” -NIST 1.1
Category Examples: Anomalies and Event; Security Continuous Monitoring; Detection Processes
“Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.” -NIST 1.1
Category Examples: Communications; Analysis; Response Planning; Mitigation; Improvements
“Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.” -NIST 1.1
Category Examples: Recovery Planning; Improvements; Communications
Framework Implementation Tiers
The NIST Implementation Tiers describe an organization perceives and manages it’s cybersecurity risk. The scale moves from Tier 1 (Partial) to Tier 4 (Adaptive). These tiers contextualize risk management processes and if, as well to what extent business needs are integrated into these practices.
Tier selection is a great of example of where the IDENTITY function is foundational. Business context, mission objectives, threat environment, supply chain security requirements, regulatory requirements, information sharing practices and other constraints must be taken into account when selecting a tier.
While it is recommended to move from Partial (Tier 1), to Risk Informed (Tier 2) or (Tier 3) Repeatable, the scale isn’t meant to represent maturity. Rather, it is meant to support decision making, and help leadership determine how to manage cybersecurity risk and which dimensions are higher priority that therefore deserve higher resources. This naturally impacts Target Profiles. An organization should move to a higher tier is cost-benefit analysis shows this is cost-effective, feasible and reduces cybersecurity risk.
Implementation Tier Basics
In general, Tier 1, or Partial, indicates an approach which is less more ad hoc, does not have processes for sharing information within the organization, has limited organization awareness of risk, and cyber supply chain risks. A Tier 1 organization doesn’t collaborate with external organizations regarding best practices, threat intel and so on.
Tier 2, or Risk Informed , has awareness in the aforementioned areas, but doesn’t necessarily have organization wide practices for managing cybersecurity risk and sharing information. Cyber Risk Assessment of internal and external assets does happen, but not on a repeatable or recurring schedule.
Tier 3, or Repeatable, has formally approved risk management practices and official policies. Practices are regularly updated as risk management processes are performed and in response to changes in mission or the threat environment. Consistent methods are used to respond to risk, and there is an official organization wide approach to risk. A Tier 3 organization understands its place in the threat landscape, and supply chain. It collaborates with other groups to exchange risk information and may produce it’s own information. It acts formally upon risks.
Tier 4 is Adaptive, meaning it adapts it’s cybersecurity practices based on prior events and activities, as well as it’s predictions. There are continuous improvement practices that incorporates advanced technologies and practices. It actively adapts to a changing threat landscape, using near-real time information. Information is reviewed and prioritized, is shared internally, and collaborated upon with external organizations. It is proactive in managing supply chain relationships with both formal and informal mechanisms.
The Framework Profile aligns the Framework Core with an organizations business requirements, risk tolerance, and available resources. Profiles are a tool to establish a roadmap for reducing risk that aligns with it’s needs, constraints, and risk management priorities. Many will create profiles specific to specific components addressing their needs. Current Profiles show currently achieved cybersecurity outcomes, and can be compared to Target Profiles which show what needs to be achieved in order to meet cybersecurity risk management goals. Comparisons between profiles and the subsequent gap analysis helps prioritize the implementation plan. Profile creation is all about using the framework to meet the organizations needs, so there are no templates,right, or wrong ways to create them.