This post is a digest of the Framework for Improving Critical Infrastructure Cybersecurity (also known as NSIT Cybersecurity Framework) Version 1.1 from NIST.

The NIST Cybersecurity Framework provides a common taxonomy and mechanism for organizations to:

1. Describe their current cybersecurity posture;
2. Describe their target state for cybersecurity;
3. Identify and prioritize opportunities for improvement within the context of a
   continuous and repeatable process;
4. Assess progress toward the target state;
5. Communicate among internal and external stakeholders about cybersecurity risk.

The Framework is a risk-based approach to managing cybersecurity risk, and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles.

• The United States depends on the reliable functioning of its critical infrastructure.
• To strengthen the resilience of this infrastructure, the Cybersecurity Enhancement Act of 20142 (CEA) updated the role of the National Institute of Standards and Technology (NIST) to “facilitate and support the development of” cybersecurity risk frameworks.
  • To manage cybersecurity risks, a clear understanding of the organization’s business drivers and security considerations specific to its use of technology is required.
  • The Framework includes a methodology to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities.
  • The Framework remains effective and supports technical innovation because it is technology neutral, while also referencing a variety of existing (global) standards, guidelines, and practices that evolve with technology.
  • The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure.
  • The Framework complements, and does not replace, an organization’s risk management process and cybersecurity program.
• Critical infrastructure is defined in the U.S. Patriot Act of 20015 as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
• The critical infrastructure community includes public and private owners and operators, and other entities with a role in securing the Nation’s infrastructure. Members of each critical infrastructure sector perform functions that are supported by the broad category of technology, including information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), and connected devices more generally, including the Internet of Things (IoT).

Core

• The Framework Core is a set of cybersecurity activities, desired outcomes, and
  applicable references that are common across critical infrastructure sectors.
• The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.
• The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.
• The Framework Core then identifies underlying key Categories and Subcategories – which are discrete outcomes – for each Function, and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory.

Tiers

• Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.
• Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive).
• The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4).
• These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed.
• During the Tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.

Profile

• A Framework Profile (“Profile”) represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories.
• The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario.
• Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state).
• To develop a Profile, an organization can review all of the Categories and Subcategories and, based on business/mission drivers and a risk assessment, determine which are most important; it can add Categories and Subcategories as needed to address the organization’s risks.
• The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost effectiveness and innovation.
• Profiles can be used to conduct self-assessments and communicate within an organization or between organizations.

References

• NIST Cybersecurity Framework