Underscoring the “living” nature of the Framework, on April 16, 2018, NIST issued an update, Version 1.1.4 The updated Framework features several additional subcategories, including an expansive new set of subcategories dealing with Supply Chain Risk, a timely addition as the protection of digital supply chains has taken center stage due to some recent damaging and high-profile supply chain attacks.
In developing the Framework, NIST wanted to ensure maximum flexibility of application. The final document is industry- and technology-neutral. It encompasses hundreds of standards. It is also international in scope.
NIST stresses that the Framework is not intended to replace any organization’s existing cybersecurity program but is a tool to strengthen existing practices. Suppose an organization does not have a cybersecurity risk management program or set of cybersecurity practices in place? In that case, the Framework should serve as a good starting point for developing that program or those practices.
FRAMEWORK BASED ON RISK MANAGEMENT
NIST premised the entire Framework on the concept of risk management, which is “the ongoing process of identifying, assessing, and responding to risk,” an approach that provides a dynamic implementation of the Framework’s recommendations. Under a risk management approach, “organizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services.”5
The Framework consists of three parts: The Framework Core, the Framework Implementation, and the Framework Profile Tiers. The purpose of these three parts is to provide a “common language” that all organizations can use to understand, manage, and communicate their cybersecurity initiatives, both internally and externally, and can scale down or up to various parts of an organization as needed.
THE FRAMEWORK CORE
The Framework Core is a set of activities aimed at organizing cybersecurity initiatives to achieve specific outcomes. The Core has five functions: Identify, Protect, Detect, Respond, and Recover (Figure 0.1).
Figure 0.1 NIST CORE FRAMEWORK.
Within each of these functions are categories of activities. Within each category of activities are subcategories, and for each subcategory, there are informative references, usually standards, for helping to support the activities (Figure 0.2).
Figure 0.2 NIST CATEGORIES, SUBCATEGORIES, AND INFORMATIVE REFERENCES.
For example, one category under the function Identify is Asset Management (Figure 0.3). A subcategory of Asset Management is “Physical devices and systems within the organization are inventoried.” For that subcategory, the Framework offers informative references that guide physical devices’ inventory, mostly standards established by various technical standards-setting bodies. The complete listing of the Functions, Categories, Subcategories, and Informative References are in Appendix A of the final Framework Document on the NIST website.6
Figure 0.3 NIST FUNCTIONS AND CATEGORIES.
Although some organizations find the Framework Core, Categories, and Subcategories to be daunting, NIST intends them to be resources from which certain elements can be selected or examined, or used depending on the organization’s unique configuration. NIST does not intend it to serve as a checklist of required activities. Nor are the Functions “intended to form a serial path, or lead to a static desired end state.”
FRAMEWORK IMPLEMENTATION TIERS
The Framework Implementation Tiers consist of four levels of “how an organization views cybersecurity risk and the processes in place to manage that risk.” Although the levels are progressive in terms of rigor and sophistication from Tier 1 (partial) to Tier 4 (Adaptive), they are not “maturity” levels in terms of cybersecurity approaches. NIST based successful implementation on the outcomes described in the organization’s Target Profiles (see the next section) rather than a progression from Tier 1 to Tier 4.
The final Framework document describes the implementation tiers in more detail, but the following is a summary of the four tiers, modified from NIST’s description (Figure 0.4):
Tier 1: Partial – Risk is managed in an ad hoc and sometimes reactive manner. There is limited awareness of cybersecurity risk at the organizational level with no organization-wide approach to cybersecurity. The organization may not have the processes in place to participate in coordination or collaboration with other entities.
Tier 2: Risk-Informed – Management approves risk management practices, but they may not be an organization-wide policy. There is awareness of cybersecurity risk at the organization level. Still, an organization-wide approach has not been established, and the organization understands the broader ecosystem but has not formalized its participation in it.
Tier 3: Repeatable – The organization’s risk management practices are approved and formally adopted as policy. There is an organization-wide approach to risk management. The organization collaborates with and receives information from partners in the wider ecosystem.
Tier 4: Adaptive – The organization adapts its cybersecurity practices from lessons learned. Cybersecurity risk management uses risk-informed policies, procedures, and processes and is part of the organizational culture and the organization actively shares information with partners.
Figure 0.4 NIST IMPLEMENTATION TIERS.
FRAMEWORK PROFILE
The Framework Profile is a blueprint or map that considers the Framework’s functions, categories, and subcategories for a specific purpose tailored to the organization’s needs. Organizations should develop profiles for current or desired cybersecurity objectives, and some organizations can create multiple profiles for different segments or aspects of the organization.
No template for what a profile should look like exists because Framework users should tailor their profiles to their organizations’ specific needs. As NIST points out, there is no right or wrong way to develop a profile. As Figure 0.5 illustrates, the factors that could go into a profile are an organization’s business objectives, threat environment, requirements, and controls, all of which create a cybersecurity profile unique to that organization.
Figure 0.5 NIST FRAMEWORK RISK MANAGEMENT CYCLE.