In 2014, NIST released the first version of what is known as the Cybersecurity Framework. This framework is a result of President Barak Obama’s Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” issued in 2013. The development of the framework is a result of collaboration between both government and private-sector participants, given the vested interests and associated stakeholders. The current version is NIST 800-53, Revision 5, which was published on September 23, 2020.
The purpose of the Cybersecurity Framework is to provide a voluntary structure for reducing the risks to critical infrastructure. The first version considers various other standards and best practices, and “provides a common language and mechanism for organizations” to do the following five key items:
Describe their existing cybersecurity stance.
Describe their ideal end state for cybersecurity.
Prioritize areas for improvement as related to managing risk.
Measure progress toward the ideal end state.
Encourage communication among the various stakeholders.
The Cybersecurity Framework is made up of three components:
The Framework Core
The Framework Profile
The Framework Implementation Tiers
The Framework Core is a matrix of activities and associated references. The framework includes various categories across five different functions. These functions are as follows:
Identify
Protect
Detect
Respond
Recover
For each of the categories or subcategories across one of the aforementioned functions, references are included. References draw on existing standards, guidelines, and best practices. The framework includes an example for the Protect function. Within the Protect function are various categories, such as Data Security and Access Control. For example, ISO/IEC 27001 provides control A.8.3.3 for physical media transfer. This control serves as an informative reference to the Data Security subcategory and specifically addresses the subcategory “Data during transportation/transmission is protected to achieve confidentiality, integrity, and availability goals.”
The Framework Profile provides the primary mechanism to improve the security posture by comparing the existing state or profile with the ideal end state or target profile. Finally, the Framework Implementation Tiers define four levels, which describe how an organization manages risk. The following are the tiers in order from least mature to most:
Tier 1—Partial
Tier 2—Risk informed
Tier 3—Risk informed and repeatable
Tier 4—Adaptive
Various frameworks, and especially the Cybersecurity Framework, consider that organizations may use or reference multiple frameworks and standards. The Cybersecurity Framework is purposely designed to supplement these other programs. Further, it can be used by organizations just starting out or to improve existing programs.
18.119.136.84