Successfully reported this slideshow.
Your SlideShare is downloading. ×

NIST CyberSecurity Framework: An Overview

Apr. 25, 2015
43 likes 16,757 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
Loading in …3
×

Check these out next

NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
Business case for information security program
William Godwin
Information Security vs IT - Key Roles & Responsibilities
Kroll
Cybersecurity - Overview
THANUJA SENEVIRATNE
Cisco Cyber Security Essentials Chapter-1
Mukesh Chinta
Cybersecurity Employee Training
Paige Rasid
Endpoint Detection & Response - FireEye
Prime Infoserv
The Next Generation of Security Operations Centre (SOC)
PECB
1 of 39 Ad

NIST CyberSecurity Framework: An Overview

Apr. 25, 2015
43 likes 16,757 views

Download to read offline

Technology
Technology
Advertisement

Recommended

Introduction to Risk Management via the NIST Cyber Security Framework
PECB
5.2k views
20 slides
Security Information and Event Management (SIEM)
k33a
41.2k views
41 slides
Security Operation Center Fundamental
Amir Hossein Zargaran
2.8k views
79 slides
Security operation center (SOC)
Ahmed Ayman
506 views
17 slides
NIST cybersecurity framework
Shriya Rai
390 views
11 slides
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
8.2k views
22 slides
Introduction to Cybersecurity
Krutarth Vasavada
223 views
23 slides
Cybersecurity Framework - Introduction
Muhammad Akbar Yasin
318 views
12 slides
Advertisement

More Related Content

Slideshows for you (20)

NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
4.3k views
Business case for information security program
William Godwin
2.7k views
Information Security vs IT - Key Roles & Responsibilities
Kroll
3k views
Cybersecurity - Overview
THANUJA SENEVIRATNE
810 views
Cisco Cyber Security Essentials Chapter-1
Mukesh Chinta
11k views
Cybersecurity Employee Training
Paige Rasid
3.1k views
Endpoint Detection & Response - FireEye
Prime Infoserv
508 views
The Next Generation of Security Operations Centre (SOC)
PECB
4.3k views
IBM Security Strategy Overview
xband
1.6k views
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
3.6k views
SOC presentation- Building a Security Operations Center
Michael Nickle
46.3k views
8. operations security
7wounders
4.9k views
Next-Gen security operation center
Muhammad Sahputra
994 views
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
3.3k views
Siem ppt
kmehul
2k views
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
WAJAHAT IQBAL
7.4k views
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
659 views
Artificial Intelligence and Cybersecurity
Olivier Busolini
10.3k views
End User Security Awareness Presentation
Cristian Mihai
39.8k views
Introduction to Cyber Resilience
Peter Wood
1.4k views
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
4.3k views
28 slides
Business case for information security program
William Godwin
2.7k views
12 slides
Information Security vs IT - Key Roles & Responsibilities
Kroll
3k views
40 slides
Cybersecurity - Overview
THANUJA SENEVIRATNE
810 views
17 slides
Cisco Cyber Security Essentials Chapter-1
Mukesh Chinta
11k views
35 slides
Cybersecurity Employee Training
Paige Rasid
3.1k views
23 slides

Viewers also liked (17)

Enterprise Security Architecture
Kris Kimmerle
39.4k views
Enterprise Security Architecture for Cyber Security
The Open Group SA
38.2k views
Security models for security architecture
Vladimir Jirasek
17.8k views
Security architecture
Duncan Unwin
8.6k views
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
16.8k views
NISTs Cybersecurity Framework -- Comparison with Best Practice
David Ochel
8.1k views
NIST 800-37 Certification & Accreditation Process
timmcguinness
3.1k views
Introduction to NIST Cybersecurity Framework
Tuan Phan
9.3k views
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Schneider Electric
7.9k views
It governance & cobit 5
Laddawan Rattanaruang
73.1k views
Capability Model_Data Governance
Steve Novak
3.9k views
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Craig Martin
29.3k views
NIST Cybersecurity Framework - Mindmap
WAJAHAT IQBAL
2.7k views
Enterprise Security Architecture: From access to audit
Bob Rhubart
6.2k views
Security architecture frameworks
John Arnold
8.6k views
What is IT Governance?
Mansoor Adenwala
23k views
Governance and Management of Enterprise IT with COBIT 5 Framework
Goutama Bachtiar
74.1k views
Enterprise Security Architecture
Kris Kimmerle
39.4k views
54 slides
Enterprise Security Architecture for Cyber Security
The Open Group SA
38.2k views
45 slides
Security models for security architecture
Vladimir Jirasek
17.8k views
26 slides
Security architecture
Duncan Unwin
8.6k views
37 slides
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
16.8k views
37 slides
NISTs Cybersecurity Framework -- Comparison with Best Practice
David Ochel
8.1k views
23 slides
Advertisement

Similar to NIST CyberSecurity Framework: An Overview (20)

Building Your Information Security Program: Frameworks & Metrics
Rob Arnold
663 views
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
907 views
Privacy-ready Data Protection Program Implementation
Eryk Budi Pratama
546 views
Nist cybersecurity framework isc2 quantico
Tuan Phan
2.1k views
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
639 views
D1 security and risk management v1.62
AlliedConSapCourses
114 views
EUCI Mapping Cybersecurity to CIP
Scott Baron
316 views
Implementing a Security Management Framework
Joseph Wynn
276 views
framework-version-1.1-overview-20180427-for-web-002.pptx
AshishRanjan546644
2 views
Incident Response: Security's Special Teams
Resilient Systems
1.5k views
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Tripwire
1.6k views
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
14k views
Lessons Learned from the NIST CSF
Digital Bond
3.3k views
Enabling Science with Trust and Security – Guest Keynote
Globus
185 views
A guide to Sustainable Cyber Security
Ernest Staats
486 views
Practical Measures for Measuring Security
Chris Mullins
896 views
New technologies - Amer Haza'a
Fahmi Albaheth
355 views
CNIT 160: Ch 2b: Security Strategy Development
Sam Bowne
343 views
RiskWatch for Physical & Homeland Security™
CPaschal
1k views
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
North Texas Chapter of the ISSA
200 views
Building Your Information Security Program: Frameworks & Metrics
Rob Arnold
663 views
27 slides
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
907 views
45 slides
Privacy-ready Data Protection Program Implementation
Eryk Budi Pratama
546 views
12 slides
Nist cybersecurity framework isc2 quantico
Tuan Phan
2.1k views
50 slides
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
639 views
48 slides
D1 security and risk management v1.62
AlliedConSapCourses
114 views
146 slides

Recently uploaded (20)

Amazon.com-An E-business Summary
RohanRajMudvari
0 views
Hire PHP Developer
Website Development Outsourcing
0 views
Where is VoIP Heading with Emerging Technology
Bankai Group
0 views
2. How to Navigate CBMS App (EN).pptx
DivinaIligan
0 views
RAJESH1.pptx
VmarBrothers
0 views
Blockchain Presentations done by Michel
JeanMichelMujyambere
0 views
ANN Lecture_3_Applications of ANN.pdf
LakhanPal15
0 views
BST-01 Ampoule Breaking Tester yang@celtec.cn.pdf
cellinstruments
0 views
Technical_Paper_Presentation.ppt
Balamurugan619913
0 views
Hacking.pptx
Yogesh Chauhan
0 views
Performance Gain for Multiple Stage Centrifugal Compressor by usi.pdf
bui thequan
0 views
Reduce API Security Risk by Leveraging Graph Analytics Webinar Slides
Neo4j
0 views
CLRT-01 CO2 Volume Tester yang@celtec.cn.pdf
cellinstruments
0 views
Role of AI In Cross Functional Drivers Performance
RohanRajMudvari
0 views
TPTL-BTSPowerManagement
RudyansyahRudyansyah
0 views
PMP Certification 28 March.docx
MayaSharma61
0 views
Introduction.pptx
EllenGrace9
0 views
FBT-01 Falling Ball Impact Tester yang@celtec.cn.pdf
cellinstruments
0 views
Sets.pdf
EllenGrace9
0 views
Living In The Clouds - Moving A Business To O365 - DWCNZ2019
Ben Mountain
0 views
Amazon.com-An E-business Summary
RohanRajMudvari
0 views
16 slides
Hire PHP Developer
Website Development Outsourcing
0 views
3 slides
Where is VoIP Heading with Emerging Technology
Bankai Group
0 views
13 slides
2. How to Navigate CBMS App (EN).pptx
DivinaIligan
0 views
56 slides
RAJESH1.pptx
VmarBrothers
0 views
13 slides
Blockchain Presentations done by Michel
JeanMichelMujyambere
0 views
19 slides
Advertisement

NIST CyberSecurity Framework: An Overview

  1. 1. Cyber Security Framework Overview of NIST Security Guidelines CS684 IT Security Policies & Procedures Tandhy Simanjuntak
  2. 2. NIST History Other frameworks Cyber Security Framework Study Case Conclusion Agenda
  3. 3. NIST
  4. 4. National Institute of Standard and Technology 1901 Non-regulatory Federal Agency U.S. Dept. of Commerce NIST
  5. 5. Mission NIST Innovation Industrial Competitiveness •  Measurement Science •  Measurement Standards •  Measurement Technology = Economic security = Quality of Life
  6. 6. Areas NIST Bioscience & Health Building & Fire Research Chemistry Electronics & Telco. Energy Environment / Climate Information Technology Manufacturing Materials Science Math Nanotechnology Physics Public Safety & Security Quality Transportation
  7. 7. History
  8. 8. Feb 12, 2013 Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” http://blogs.reuters.com/great-debate/2013/07/08/obamas-key-nuclear-deal-wi
  9. 9. Critical Infrastructure[1] “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
  10. 10. http://www.iprem.ca/initiatives/InitiativesPics/CriticalInfrastructureSectors.jpg
  11. 11. Other Frameworks
  12. 12. Others Security Framework ISO/IEC 27002:2013 COBIT COSO HITRUST CSF
  13. 13. ISO/IEC 27002:2013 COBIT COSO HITRUST CSF ISO: International Organization for Standardization IEC: International Electrotechnical Commission Best practice recommendations • Information Security Management • Information Security Program elements Others Security Framework
  14. 14. ISO/IEC 27002:2013 COBIT COSO HITRUST CSF Control Objectives for Information and related Technology Best practices for IT management Defines program and management control functions Others Security Framework
  15. 15. ISO/IEC 27002:2013 COBIT COSO HITRUST CSF Committee of Sponsoring Organizations of the Treadway Commission Thought of Leadership for frameworks development Guidance • Enterprise risk management • Internal control • Fraud deterrence Others Security Framework
  16. 16. ISO/IEC 27002:2013 COBIT COSO HITRUST CSF Healthcare and Information Security Professionals First IT Security for Healthcare Leverages existing standards • HIPAA, NIST, ISO, PCI, FTC and COBIT Others Security Framework
  17. 17. NIST vs Other Framework Other Frameworks NIST Specific to industry Specific to management Any industry Standards & Guidelines Guidelines
  18. 18. Cyber Security Framework
  19. 19. Framework Introduction Feb 13  Feb 14 Voluntary risk-based framework • Government and private sectors Standards and best practices • Manage cyber security risks Protect individual privacy and civil liberties
  20. 20. Framework Core Framework Implementation Tiers Framework Profile Framework
  21. 21. Framework Core Framework Implementation Tiers Framework Profile Activities, outcomes & applicable references Industry standards, guidelines & practices 5 concurrent and continuous Functions Identify Protect Detect Respond Recover Framework
  22. 22. Framework Core Framework Implementation Tiers Framework Profile Understanding to manage cybersecurity risk to systems, assets, data, and capabilities Identify the occurrence of a cybersecurity event Safeguards to ensure delivery of critical infrastructure services Action regarding a detected cybersecurity event • Maintain plans for resilience • Restore any capabilities or services Identify Protect Detect Respond Recover Framework
  23. 23. Framework Core Framework Implementation Tiers Framework Profile Framework Functions Categories Subcategories Informative Reference IDENTIFY ID PROTECT PR DETECT DE RESPOND RS RECOVER RC
  24. 24. IDENTIFY PROTECT DETECT RESPOND RECOVER Framework Function Category Identifier Category IDENTIFY (ID) ID.AM Asset Management ID.BE Business Environment ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy
  25. 25. Framework Function Category Identifier Category PROTECT (PR) PR.AC Access Control PR.AT Awareness and Training PR.DS Data Security PR.IP Information Protection Processes and Procedures PR.MA Maintenance PR.PT Protective Technology IDENTIFY PROTECT DETECT RESPOND RECOVER
  26. 26. IDENTIFY PROTECT DETECT RESPOND RECOVER Framework Function Category Identifier Category DETECT (DE) DE.AE Anomalies and Events DE.CM Security Continuous Monitoring DE.DP Detection Processes
  27. 27. IDENTIFY PROTECT DETECT RESPOND RECOVER Framework Function Category Identifier Category RESPOND (RS) RS.RP Response Planning RS.CO Communications RS.AN Analysis RS.MI Mitigation RS.IM Improvements
  28. 28. IDENTIFY PROTECT DETECT RESPOND RECOVER Framework Function Category Identifier Category RECOVER (RC) RC.RP Recovery Planning RC.IM Improvements RC.CO Communications
  29. 29. Cybersecurity Risks Manage Risks Partial Risk Informed Repeatable Adaptive Framework Core Framework Implementation Tiers Framework Profile Framework Consideration • Risk management practices, threat environment, legal & regulatory req., objectives & constraints
  30. 30. Elements: •Risk Management Process •Integrated Risk Management Program •External Collaboration Framework Core Framework Implementation Tiers Framework Profile Framework
  31. 31. Risk Management Process Integrated Risk Management Program External Participation Partial • Not formalized • Reactive • Limited awareness • Irregular risk management • Private information No external collaboration Risk Informed • Approved practices • Not widely use as policy • More awareness • Risk-informed, processes & procedures • Adequate resources • Internal sharing Not formalized to interact & share information Repeatable • Approved as Policy • Update regularly • Organization approach • Risk-informed, processes & procedures defined & implemented as intended, and reviewed • Knowledge & skills • Collaborate • Receive information Adaptive Continuous improvement • Risk-informed, processes & procedures for potential events • Continuous awareness • Actively Actively shares information
  32. 32. Framework Core Framework Implementation Tiers Framework Profile Alignment of Framework Core and business requirements, risk tolerance & resources Establish roadmap to reduce risk aligned with organizational and sector goals Describe current and desired state of specific events Action plan to address gaps Framework
  33. 33. Create or improve a program 1. Prioritize and Scope 2. Orient 3. Create current profile 4. Conduct Risk assessment 5. Create target profile 6. Determine, Analyze & Prioritize Gaps 7. Implement Action Plan
  34. 34. Study Case
  35. 35. http://www.intel.com/content/www/us/en/government/cybersecurity-framework-in-action-use-case-brief.html
  36. 36. Conclusion
  37. 37. Conclusion Reduce and better manage cybersecurity risks Not a one-size-fits-all approach
  38. 38. Reference 1. NIST (2014). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from NIST site: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf 2. ISF (2007). The Standard of Good Practice for Information Security. Retrieved from Security Forum site: https://www.securityforum.org/userfiles/public/SOGP.pdf 3. IASME (2015) IASME Self-Assessment Questionnaire. Retrieved from IASME site: https://www.iasme.co.uk/index.php 4. Johnson, S. (2008). NERC Cyber Security Standards. SANS. Retrieved from SANS site: https://files.sans.org/summit/scada08/Stan_Johnson_NERC_Cyber_Security_Standards.pdf 5. Center for Internet Security. Retrieved from http://www.cisecurity.org/. 6. Solutionary (n.d.) Security Frameworks. Retrieved from Solutionary site: http://www.solutionary.com/compliance/security-frameworks/ 7. Intel (2015). The Cybersecurity Framework in Action: An Intel Use Case. Retrieved from Intel site: http://www.intel.com/content/www/us/en/government/cybersecurity-framework-in-action-use- case-brief.html

Editor's Notes

  • http://www.internetsociety.org/deploy360/wp-content/uploads/2012/03/NIST-logo-1.jpg
  • Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

    http://nist.gov/public_affairs/general_information.cfm

  • http://nist.gov/subject_areas.cfm
  • http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
  • http://www.iprem.ca/initiatives/InitiativesPics/CriticalInfrastructureSectors.jpg
  • ISO/IEC 27002:2013 The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) provide best practice recommendations on information security management and program elements. ISO defines the broadest structure of an effective overall program, supporting information security as a systems issue that includes technology, practice, and people, and describes the need for a formal security program.

    COBIT The Control Objectives for Information and related Technology (COBIT) is a set of best practices for IT management. COBIT focuses on defining program and management control functions. It is designed to help ensure IT programs are implemented and managed effectively to maximize the investment of technology efficiently. While not specifically a security standard, strong COBIT compliance typically indicates a higher quality of control over internal practices that help manage an effective security infrastructure, as well as sound business practice.

    COSO The Committee of Sponsoring Organizations of the Treadway Commission defined the Control Objectives for their Internal Control – Integrated Frameworks, the widely accepted control frameworks for enterprise governance and risk management, and similar compliant frameworks. COSO defines a set of business, management, and security relevant controls that can be used to demonstrate good business practice controls, and can be used to show compliance with Sarbanes-Oxley requirements.

    HITRUST CSF Developed in collaboration with healthcare and information security professionals, the Common Security Framework (CSF) is the first IT security framework developed specifically for healthcare information.

    The HITRUST CSF:
    Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC and COBIT
    Scales according to type, size and complexity of an implementing organization
    Provides prescriptive requirements to ensure clarity
    Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds
    Allows for the adoption of alternate controls when necessary
    Evolves according to user input and changing conditions in the healthcare industry and regulatory environment
    Solutionary is a HITRUST Common Security Frameworks (CSF) Assessor. This means that Solutionary is able to deliver healthcare certification work including readiness assessments and remediation associated with the CSF. In addition to the organizational certification, Solutionary has a team of security professionals certified as CSF Practitioners for effective and efficient implementation of the CSF.


    http://www.solutionary.com/compliance/security-frameworks/
  • ISO/IEC 27002:2013 The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) provide best practice recommendations on information security management and program elements. ISO defines the broadest structure of an effective overall program, supporting information security as a systems issue that includes technology, practice, and people, and describes the need for a formal security program.

  • COBIT The Control Objectives for Information and related Technology (COBIT) is a set of best practices for IT management. COBIT focuses on defining program and management control functions. It is designed to help ensure IT programs are implemented and managed effectively to maximize the investment of technology efficiently. While not specifically a security standard, strong COBIT compliance typically indicates a higher quality of control over internal practices that help manage an effective security infrastructure, as well as sound business practice.
  • COSO The Committee of Sponsoring Organizations of the Treadway Commission defined the Control Objectives for their Internal Control – Integrated Frameworks, the widely accepted control frameworks for enterprise governance and risk management, and similar compliant frameworks. COSO defines a set of business, management, and security relevant controls that can be used to demonstrate good business practice controls, and can be used to show compliance with Sarbanes-Oxley requirements.

    The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organizations listed on the left and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. We hope you will find the information on this site to be helpful and we welcome your input.

    http://www.coso.org/

  • HITRUST CSF Developed in collaboration with healthcare and information security professionals, the Common Security Framework (CSF) is the first IT security framework developed specifically for healthcare information.

    The HITRUST CSF:
    Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC and COBIT
    Scales according to type, size and complexity of an implementing organization
    Provides prescriptive requirements to ensure clarity
    Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds
    Allows for the adoption of alternate controls when necessary
    Evolves according to user input and changing conditions in the healthcare industry and regulatory environment
    Solutionary is a HITRUST Common Security Frameworks (CSF) Assessor. This means that Solutionary is able to deliver healthcare certification work including readiness assessments and remediation associated with the CSF. In addition to the organizational certification, Solutionary has a team of security professionals certified as CSF Practitioners for effective and efficient implementation of the CSF.
  • HITRUST CSF Developed in collaboration with healthcare and information security professionals, the Common Security Framework (CSF) is the first IT security framework developed specifically for healthcare information.

    The HITRUST CSF:
    Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC and COBIT
    Scales according to type, size and complexity of an implementing organization
    Provides prescriptive requirements to ensure clarity
    Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds
    Allows for the adoption of alternate controls when necessary
    Evolves according to user input and changing conditions in the healthcare industry and regulatory environment
    Solutionary is a HITRUST Common Security Frameworks (CSF) Assessor. This means that Solutionary is able to deliver healthcare certification work including readiness assessments and remediation associated with the CSF. In addition to the organizational certification, Solutionary has a team of security professionals certified as CSF Practitioners for effective and efficient implementation of the CSF.
  • In enacting this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses
  • The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory.

    • Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. During the Tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.

    • A Framework Profile (“Profile”) represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state). To develop a Profile, an organization can review all of the Categories and Subcategories and, based on business drivers and a risk assessment, determine which are most important; they can add Categories and Subcategories as needed to address the organization’s risks. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations
  • The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory.
  • Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

    • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

    • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

    • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

    • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
  • Functions organize basic cybersecurity activities at their highest level. These Functions are Identify, Protect, Detect, Respond, and Recover. They aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities. The Functions also align with existing methodologies for incident management and help show the impact of investments in cybersecurity. For example, investments in planning and exercises support timely response and recovery actions, resulting in reduced impact to the delivery of services.

    • Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities. Examples of Categories include “Asset Management,” “Access Control,” and “Detection Processes.”
    • Subcategories further divide a Category into specific outcomes of technical and/or management activities. They provide a set of results that, while not exhaustive, help support achievement of the outcomes in each Category. Examples of Subcategories include “External information systems are catalogued,” “Data-at-rest is protected,” and “Notifications from detection systems are investigated.”

    • Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory. The Informative References presented in the Framework Core are illustrative and not exhaustive. They are based upon cross-sector guidance most frequently referenced during the Framework development process.

    Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

    • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

    • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

    • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

    • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
  • Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

    • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

    • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

    • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

    • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
  • Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

    • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

    • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

    • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

    • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
  • Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

    • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

    • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

    • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

    • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
  • Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

    • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

    • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

    • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

    • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
  • Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

    • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

    • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

    • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

    • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
  • Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

    • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

    • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

    • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

    • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
  • • Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. During the Tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.
  • Tier 1: Partial
    • Risk Management Process – Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
    • Integrated Risk Management Program – There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization.
    • External Participation – An organization may not have the processes in place to participate in coordination or collaboration with other entities.
    Tier 2: Risk Informed
    • Risk Management Process – Risk management practices are approved by management but may not be established as organizational-wide policy. Prioritization of cybersecurity activities is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
    • Integrated Risk Management Program – There is an awareness of cybersecurity risk at the organizational level but an organization-wide approach to managing cybersecurity risk has not been established. Risk-informed, management-approved processes and procedures are defined and implemented, and staff has adequate resources to perform their cybersecurity duties. Cybersecurity information is shared within the organization on an informal basis.
    • External Participation – The organization knows its role in the larger ecosystem, but has not formalized its capabilities to interact and share information externally.
    Tier 3: Repeatable
    • Risk Management Process – The organization’s risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
    • Integrated Risk Management Program – There is an organization-wide approach to manage cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities.
    • External Participation – The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events.

    Tier 4: Adaptive
    • Risk Management Process – The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner.
    • Integrated Risk Management Program – There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks.
    • External Participation – The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs.
  • • A Framework Profile (“Profile”) represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state). To develop a Profile, an organization can review all of the Categories and Subcategories and, based on business drivers and a risk assessment, determine which are most important; they can add Categories and Subcategories as needed to address the organization’s risks. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations
  • Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process. The Framework can be adapted to support the different business lines or processes within an organization, which may have different business needs and associated risk tolerance.
    Step 2: Orient. Once the scope of the cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then identifies threats to, and vulnerabilities of, those systems and assets.
    Step 3: Create a Current Profile. The organization develops a Current Profile by indicating which Category and Subcategory outcomes from the Framework Core are currently being achieved.
    Step 4: Conduct a Risk Assessment. This assessment could be guided by the organization’s overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization. It is important that organizations seek to incorporate emerging risks and threat and vulnerability data to facilitate a robust understanding of the likelihood and impact of cybersecurity events.
    Step 5: Create a Target Profile. The organization creates a Target Profile that focuses on the assessment of the Framework Categories and Subcategories describing the organization’s desired cybersecurity outcomes. Organizations also may develop their own additional Categories and Subcategories to account for unique organizational risks. The organization may also consider influences and requirements of external stakeholders such as sector entities, customers, and business partners when creating a Target Profile.
    Step 6: Determine, Analyze, and Prioritize Gaps. The organization compares the Current Profile and the Target Profile to determine gaps. Next it creates a prioritized action plan to address those gaps that draws upon mission drivers, a cost/benefit analysis, and understanding of risk to achieve the outcomes in the Target Profile. The organization then determines resources necessary to address the gaps. Using Profiles in this manner enables the organization to make informed decisions about cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements.
    Step 7: Implement Action Plan. The organization determines which actions to take in regards to the gaps, if any, identified in the previous step. It then monitors its current cybersecurity practices against the Target Profile. For further guidance, the Framework identifies example Informative References regarding the Categories and Subcategories, but organizations should determine which standards, guidelines, and practices, including those that are sector specific, work best for their needs.
  • In enacting this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses
  • The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent.

    Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks.

×