NIST Cybersecurity Framework.

The National Institute of Standards and Testing has developed a framework that organizations can follow to assess their current IT security posture and identify gaps between that there desired state.

 NIST Framework Core

The NIST Framework Core consists of five functions, twenty-three categories, and 108 sub-categories:

 The five functions simply describe the basic cybersecurity activities at the highest level. The categories divide each function into high level outcomes pertinent to that function. Sub categories articulate specific outcomes within the category required to gain compliance.

 The Framework core also includes Informative References that drive the organization to additional information about the subcategory, often specific to particular industries .

NIST Framework Implementation Tiers

The NIST Framework includes definitions of various stages of compliance and rigor by which organizations handle their cyber security. There are four tiers defined: Partial, Risk Informed, Repeatable, Adaptive.

Each tier represents a higher level of cybersecurity awareness and control. Organizations use the tiers to assess their current state as well as identify a desired state.

NIST Framework Profiles

Using the Framework Core and Tiers, organization develop and Current Profile and a Target Profile. The Current Profile identifies how the organization compares to the 108 sub categories currently. The Target Profile identifies the desired state of the organization required to meet its mission and goals.

By Comparing the Target Profile to the Current Profile gaps are identified that need to be addressed

Establishing a Cyber Security Plan

NIST provides a seven step process for establishing a cybersecurity Program:

(excerpt from NIST Framework Guide - Framework for Improving Critical Infrastructure CyberSecurity V1.1)

 Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process. The Framework can be adapted to support the different business lines or processes within an organization, which may have different business needs and associated risk tolerance. Risk tolerances may be reflected in a target Implementation Tier.

 Step 2: Orient. Once the scope of the cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then consults sources to identify threats and vulnerabilities applicable to those systems and assets.

 Step 3: Create a Current Profile. The organization develops a Current Profile by indicating which Category and Subcategory outcomes from the Framework Core are currently being achieved. If an outcome is partially achieved, noting this fact will help support subsequent steps by providing baseline information.

 Step 4: Conduct a Risk Assessment. This assessment could be guided by the organization’s overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization. It is important that organizations identify emerging risks and use cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events.

Step 5: Create a Target Profile. The organization creates a Target Profile that focuses on the assessment of the Framework Categories and Subcategories describing the organization’s desired cybersecurity outcomes. Organizations also may develop their own additional Categories and Subcategories to account for unique organizational risks. The organization may also consider influences and requirements of external stakeholders such as sector entities, customers, and business partners when creating a Target Profile. The Target Profile should appropriately reflect criteria within the target Implementation Tier.

Step 6: Determine, Analyze, and Prioritize Gaps. The organization compares the Current Profile and the Target Profile to determine gaps. Next, it creates a prioritized action plan to address gaps – reflecting mission drivers, costs and benefits, and risks – to achieve the outcomes in the Target Profile. The organization then determines resources, including funding and workforce, necessary to address the gaps. Using Profiles in this manner encourages the organization to make informed decisions about cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements.

Step 7: Implement Action Plan. The organization determines which actions to take to address the gaps, if any, identified in the previous step and then adjusts its current cybersecurity practices in order to achieve the Target Profile. For further guidance, the Framework identifies example Informative References regarding the Categories and Subcategories, but organizations should determine which standards, guidelines, and practices, including those that are sector specific, work best for their needs.