CONTEXT OF NIST FRAMEWORK
Nations depend on the reliable
functioning of increasingly complex
and interconnected systems of infrastructure. However, in
recent years cybersecurity threats and attacks on this
infrastructure have shown how vulnerable it is.
Cybersecurity threats and attacks routinely threaten the
health, safety, security, privacy, and prosperity of
citizens, and undermine the performance of organizations in
both the private and public sectors.
Cybersecurity threats and attacks
routinely and regularly exploit the
sophisticated networks, processes, systems, equipment,
technologies that work together to provide the critical
we all depend on. Cybersecurity threats and attacks put all
of us at risk.
PURPOSE OF NIST FRAMEWORK
The NIST Framework can be used to
address these cybersecurity
threats and attacks. It can be used to protect critical
and to safeguard the health, safety, security, and privacy
customers, employees, and other stakeholders.
Every organization is unique. It has
unique risks, unique threats,
and unique vulnerabilities, and will, therefore, have its
approach to cybersecurity risk management. This NIST
is not a one-size-fits-all approach. Organizations are free
it any way they like. How they choose to protect their
infrastructure is and will remain entirely up to them.
Organizations are free to customize the
practices and prescriptions
described in this NIST Framework and will be free to choose
and activities that are important to product and service
will be entirely free to prioritize their cybersecurity
to maximize the impact of each dollar spent.
SCOPE OF NIST
This Framework was developed for critical
infrastructure owners and
operators and applies to any organization that depends on
technology (IT), industrial control systems (ICS),
(CPS), the Internet of Things (IoT), or connected devices more
to achieve its objectives. It applies to any and all
organizations that use sophisticated technologies to provide
the critical infrastructure that
we all depend on.
OVERVIEW OF FRAMEWORK CORE
The “Core” of the Framework consists of
cybersecurity risk management
functions, activities, tasks, and outcomes that are common
and infrastructures. It consists of the following five
general functions which
operate concurrently and continuously: Identify, Protect,
and Recover. Each general function is broken down into
in turn, are broken down into tasks. When these activities
and tasks are
actually being performed they are referred to as outcomes.
The Core of the Framework is used to
develop Current and Target Profiles.
Profiles are created by studying NIST’s Framework Core and
activities and tasks. Current Profiles are created by
selecting activities and
tasks that describe the organization’s current cybersecurity
status: its “as
is” state. Target Profiles are created by selecting
activities and tasks that
describe the organization’s preferred cybersecurity status:
its “to be”
state. By comparing Current and Target Profiles,
identify cybersecurity gaps.
For more information, see Detailed
Overview of Framework Core.
OF IMPLEMENTATION TIERS
NIST has also defined four
Implementation Tiers. These Tiers classify
organizations according to how well cybersecurity risk
practices have been implemented. They range from Tier 1 to
Tier 1 organizations use relatively
primitive methods to manage risk while Tier 4 organizations
use relatively advanced methods. Tier 1 organizations have
ineffective risk management methods, Tier 2 have informal
methods, Tier 3 have structured methods, and Tier 4 have
This information is used to define an
organization’s Current Tier and
its Target Tier. Current Tiers are defined by selecting
cybersecurity risk management practices that describe its
current status: its “as is” state.
Target Tiers are defined by selecting cybersecurity risk
practices that describe its preferred status: its “to be”
Tier definitions are then used to identify cybersecurity
management implementation gaps.
For more information, see our Detailed