Cybersecurity Framework

In 2014, NIST released the first version of what is known as the Cybersecurity Framework. This framework is a result of President Barak Obama’s Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” issued in 2013. The development of the framework is a result of collaboration between both government and private-sector participants, given the vested interests and associated stakeholders. The current version is NIST 800-53, Revision 5, which was published on September 23, 2020.

The purpose of the Cybersecurity Framework is to provide a voluntary structure for reducing the risks to critical infrastructure. The first version considers various other standards and best practices, and “provides a common language and mechanism for organizations” to do the following five key items:

• Describe their existing cybersecurity stance.

• Describe their ideal end state for cybersecurity.

• Prioritize areas for improvement as related to managing risk.

• Measure progress toward the ideal end state.

• Encourage communication among the various stakeholders.

The Cybersecurity Framework is made up of three components:

• The Framework Core

• The Framework Profile

• The Framework Implementation Tiers

The Framework Core is a matrix of activities and associated references. The framework includes various categories across five different functions. These functions are as follows:

• Identify

• Protect

• Detect

• Respond

• Recover

For each of the categories or subcategories across one of the aforementioned functions, references are included. References draw on existing standards, guidelines, and best practices. The framework includes an example for the Protect function. Within the Protect function are various categories, such as Data Security and Access Control. For example, ISO/IEC 27001 provides control A.8.3.3 for physical media transfer. This control serves as an informative reference to the Data Security subcategory and specifically addresses the subcategory “Data during transportation/transmission is protected to achieve confidentiality, integrity, and availability goals.”

The Framework Profile provides the primary mechanism to improve the security posture by comparing the existing state or profile with the ideal end state or target profile. Finally, the Framework Implementation Tiers define four levels, which describe how an organization manages risk. The following are the tiers in order from least mature to most:

• Tier 1—Partial

• Tier 2—Risk informed

• Tier 3—Risk informed and repeatable

• Tier 4—Adaptive

Various frameworks, and especially the Cybersecurity Framework, consider that organizations may use or reference multiple frameworks and standards. The Cybersecurity Framework is purposely designed to supplement these other programs. Further, it can be used by organizations just starting out or to improve existing programs.