National Institute of Standards and Framework’s Cybersecurity Framework (CSF) was published in February 2014 in response to Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which called for a standardized security framework for critical infrastructure in the United States.
The Framework integrates industry standards and best practices to help organizations manage their cybersecurity risks. It provides a common language that allows staff at all levels within an organization—and at all points in a supply chain—to develop a shared understanding of their cybersecurity risks. NIST worked with private-sector and government experts to create the Framework, which was released in early 2014. The effort went so well that Congress ratified it as a NIST responsibility in the Cybersecurity Enhancement Act of 2014.
The NIST CSF is comprised of four core areas. These include Functions, Categories, Subcategories, and References. Below, we will provide a brief explanation of terminology for the NIST CSF.
The NIST CSF is organized into five core Functions also known as the Framework Core. The functions are organized concurrently with one another to represent a security lifecycle. Each function is essential to a well-operating security posture and successful management of cybersecurity risk. Definitions for each Function are as follows:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a security event.
- Respond: Develop and implement the appropriate activities when facing a detected security event.
- Recover: Develop and implement the appropriate activities for resilience and to restore any capabilities or services that were impaired due to a security event.
Categories & Subcategories
With each of the Functions noted in the Figure above, there are twenty-one categories and over a hundred subcategories. The subcategories provide context to each category with reference to other frameworks such as COBIT, ISO, ISA, and others.
The NIST CSF Tiers represent how well an organization views cybersecurity risk and the processes in place to mitigate risks. This helps provide organizations a benchmark on how their current operations.
- Tier 1 – Partial: Organizational cybersecurity risk is not formalized and managed in an ad hoc and sometimes reactive manner. There is also limited awareness of cybersecurity risk management.
- Tier 2 – Risk-Informed: There may not be an organizational-wide policy for security risk management. Management handles cybersecurity risk management based on risks as they happen.
- Tier 3 – Repeatable: A formal organizational risk management process is followed by a defined security policy.
- Tier 4 – Adaptable: An organization at this stage will adapt its cybersecurity policies based on lessons learned and analytics-driven to provide insights and best practices. The organization is constantly learning from the security events that do occur in the organization and will share that information with a larger network.