CONTEXT OF NIST FRAMEWORK
Nations depend on the reliable
functioning of increasingly complex
and interconnected systems of infrastructure.
However, in recent years cybersecurity threats and
attacks on this infrastructure have shown how
vulnerable it is. Cybersecurity threats and attacks
routinely threaten the health, safety, security,
privacy, and prosperity of citizens, and undermine
the performance of organizations in both the private
and public sectors.
Cybersecurity threats and
attacks routinely and regularly exploit the
sophisticated networks, processes, systems,
equipment, facilities, and
technologies that work together to provide the
critical infrastructure that
we all depend on. Cybersecurity threats and attacks
put all of us at risk.
PURPOSE OF NIST FRAMEWORK
The NIST Framework can be used
to address these cybersecurity
threats and attacks. It can be used to protect
and to safeguard the health, safety, security, and
customers, employees, and other stakeholders.
Every organization is unique. It
has unique risks, unique threats,
and unique vulnerabilities, and will, therefore,
have its own unique
approach to cybersecurity risk management. This NIST
is not a one-size-fits-all approach. Organizations
are free to apply
it any way they like. How they choose to protect
infrastructure is and will remain entirely up to
Organizations are free to
customize the practices and prescriptions
described in this NIST Framework and will be free to
choose the tasks
and activities that are important to product and
service delivery. They
will be entirely free to prioritize their
cybersecurity investments and
to maximize the impact of each dollar spent.
OF NIST FRAMEWORK
This Framework was developed for
critical infrastructure owners and
operators and applies to any organization that depends
technology (IT), industrial control systems (ICS),
(CPS), the Internet of Things (IoT), or connected
devices more generally
to achieve its objectives. It applies to any and all
organizations that use sophisticated technologies to
provide the critical infrastructure that
we all depend on.
OVERVIEW OF FRAMEWORK CORE
The “Core” of the Framework
consists of the following five sets
of cybersecurity risk management functions that are
sectors and infrastructures and operate concurrently
Identify, Protect, Detect, Respond,
and Recover. Each general function
is broken down into activities, which in turn, are
broken down into tasks.
When these activities and tasks are actually being
performed they are
referred to as outcomes.
The Core of the Framework is
used to develop Current and Target Profiles.
Profiles are created by studying NIST’s Framework
Core and then selecting
activities and tasks. Current Profiles are created
by selecting activities and
tasks that describe the organization’s current
cybersecurity status: its “as
is” state. Target Profiles are created by selecting
activities and tasks that
describe the organization’s preferred cybersecurity
status: its “to be”
state. By comparing Current and Target Profiles,
identify cybersecurity gaps.
For more information, see Overview of
OVERVIEW OF IMPLEMENTATION TIERS
NIST has also defined four
Implementation Tiers. These Tiers classify
organizations according to how well cybersecurity
practices have been implemented. They range from
Tier 1 to Tier 4.
Tier 1 organizations use
relatively primitive methods to manage risk while
Tier 4 organizations use relatively advanced
methods. Tier 1 organizations have ineffective risk
management methods, Tier 2 have informal methods,
Tier 3 have structured methods, and Tier 4 have
This information is used to
define an organization’s Current Tier and
its Target Tier. Current Tiers are defined by
selecting cybersecurity risk management practices
that describe its current status: its “as is” state.
Target Tiers are defined by selecting cybersecurity
practices that describe its preferred status: its
“to be” state. These
Tier definitions are then used to identify
management implementation gaps.
For more information, see our Detailed