Introduction to NIST Cybersecurity Framework

CONTEXT OF NIST FRAMEWORK

Nations depend on the reliable functioning of increasingly complex
and interconnected systems of infrastructure. However, in recent years cybersecurity threats and attacks on this infrastructure have shown how vulnerable it is. Cybersecurity threats and attacks routinely threaten the health, safety, security, privacy, and prosperity of citizens, and undermine the performance of organizations in both the private and public sectors.

Cybersecurity threats and attacks routinely and regularly exploit the
sophisticated networks, processes, systems, equipment, facilities, and
technologies that work together to provide the critical infrastructure that
we all depend on. Cybersecurity threats and attacks put all of us at risk.

PURPOSE OF NIST FRAMEWORK

The NIST Framework can be used to address these cybersecurity
threats and attacks. It can be used to protect critical infrastructure
and to safeguard the health, safety, security, and privacy of
customers, employees, and other stakeholders.

Every organization is unique. It has unique risks, unique threats,
and unique vulnerabilities, and will, therefore, have its own unique
approach to cybersecurity risk management. This NIST Framework
is not a one-size-fits-all approach. Organizations are free to apply
it any way they like. How they choose to protect their critical
infrastructure is and will remain entirely up to them.

Organizations are free to customize the practices and prescriptions
described in this NIST Framework and will be free to choose the tasks
and activities that are important to product and service delivery. They
will be entirely free to prioritize their cybersecurity investments and
to maximize the impact of each dollar spent.

SCOPE OF NIST FRAMEWORK

This Framework was developed for critical infrastructure owners and
operators and applies to any organization that depends on information
technology (IT), industrial control systems (ICS), cyber-physical systems
(CPS), the Internet of Things (IoT), or connected devices more generally
to achieve its objectives. It applies to any and all organizations that use sophisticated technologies to provide the critical infrastructure that
we all depend on.

OVERVIEW OF FRAMEWORK CORE

The “Core” of the Framework consists of cybersecurity risk management
functions, activities, tasks, and outcomes that are common across sectors
and infrastructures. It consists of the following five general functions which
operate concurrently and continuously: Identify, Protect, Detect, Respond,
and Recover. Each general function is broken down into activities, which
in turn, are broken down into tasks. When these activities and tasks are
actually being performed they are referred to as outcomes.

The Core of the Framework is used to develop Current and Target Profiles.
Profiles are created by studying NIST’s Framework Core and then selecting
activities and tasks. Current Profiles are created by selecting activities and
tasks that describe the organization’s current cybersecurity status: its “as
is” state. Target Profiles are created by selecting activities and tasks that
describe the organization’s preferred cybersecurity status: its “to be”
state. By comparing Current and Target Profiles, organization can
identify cybersecurity gaps.

For more information, see Detailed Overview of Framework Core.

OVERVIEW OF IMPLEMENTATION TIERS

NIST has also defined four Implementation Tiers. These Tiers classify
organizations according to how well cybersecurity risk management
practices have been implemented. They range from Tier 1 to Tier 4.

Tier 1 organizations use relatively primitive methods to manage risk while Tier 4 organizations use relatively advanced methods. Tier 1 organizations have ineffective risk management methods, Tier 2 have informal methods, Tier 3 have structured methods, and Tier 4 have adaptive methods.

This information is used to define an organization’s Current Tier and
its Target Tier. Current Tiers are defined by selecting cybersecurity risk management practices that describe its current status: its “as is” state.
Target Tiers are defined by selecting cybersecurity risk management
practices that describe its preferred status: its “to be” state. These
Tier definitions are then used to identify cybersecurity risk
management implementation gaps.

For more information, see our Detailed Implementation Tiers.


ADDITIONAL NIST CYBERSECURITY PAGES

Brief Overview of NIST Cybersecurity Framework Core

Detailed Structure of NIST Cybersecurity Framework Core

How to Create a Cybersecurity Program Using NIST Framework

NIST Cybersecurity Framework Core Translated into Plain English

NIST Cybersecurity Privacy Principles Translated into Plain English

NIST Cybersecurity Implementation Tiers Translated into Plain English

Home Page

Our Library

A to Z Index

Customers

How to Order

Our Products

Our Prices

Guarantee

Praxiom Research Group Limited          help@praxiom.com          780-461-4514

Updated on February 5, 2020. First published on January 29, 2020.

Legal Restrictions on the Use of this Page
Thank you for visiting this web page. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2020 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research
        Group Limited