Introduction to NIST Cybersecurity Framework

CONTEXT OF NIST FRAMEWORK

Nations depend on the reliable functioning of increasingly complex
and interconnected systems of infrastructure. However, in recent years cybersecurity threats and attacks on this infrastructure have shown how vulnerable it is. Cybersecurity threats and attacks routinely threaten the health, safety, security, privacy, and prosperity of citizens, and undermine the performance of organizations in both the private and public sectors.

Cybersecurity threats and attacks routinely and regularly exploit the
sophisticated networks, processes, systems, equipment, facilities, and
technologies that work together to provide the critical infrastructure that
we all depend on. Cybersecurity threats and attacks put all of us at risk.

PURPOSE OF NIST FRAMEWORK

The NIST Framework can be used to address these cybersecurity
threats and attacks. It can be used to protect critical infrastructure
and to safeguard the health, safety, security, and privacy of
customers, employees, and other stakeholders.

Every organization is unique. It has unique risks, unique threats,
and unique vulnerabilities, and will, therefore, have its own unique
approach to cybersecurity risk management. This NIST Framework
is not a one-size-fits-all approach. Organizations are free to apply
it any way they like. How they choose to protect their critical
infrastructure is and will remain entirely up to them.

Organizations are free to customize the practices and prescriptions
described in this NIST Framework and will be free to choose the tasks
and activities that are important to product and service delivery. They
will be entirely free to prioritize their cybersecurity investments and
to maximize the impact of each dollar spent.

SCOPE OF NIST FRAMEWORK

This Framework was developed for critical infrastructure owners and
operators and applies to any organization that depends on information
technology (IT), industrial control systems (ICS), cyber-physical systems
(CPS), the Internet of Things (IoT), or connected devices more generally
to achieve its objectives. It applies to any and all organizations that use sophisticated technologies to provide the critical infrastructure that
we all depend on.

OVERVIEW OF FRAMEWORK CORE

The “Core” of the Framework consists of the following five sets
of cybersecurity risk management functions that are common across
sectors and infrastructures and operate concurrently and continuously:
Identify, Protect, Detect, Respond, and Recover. Each general function
is broken down into activities, which in turn, are broken down into tasks.
When these activities and tasks are actually being performed they are
referred to as outcomes.

The Core of the Framework is used to develop Current and Target Profiles.
Profiles are created by studying NIST’s Framework Core and then selecting
activities and tasks. Current Profiles are created by selecting activities and
tasks that describe the organization’s current cybersecurity status: its “as
is” state. Target Profiles are created by selecting activities and tasks that
describe the organization’s preferred cybersecurity status: its “to be”
state. By comparing Current and Target Profiles, organization can
identify cybersecurity gaps.

For more information, see Overview of Framework Core.

OVERVIEW OF IMPLEMENTATION TIERS

NIST has also defined four Implementation Tiers. These Tiers classify
organizations according to how well cybersecurity risk management
practices have been implemented. They range from Tier 1 to Tier 4.

Tier 1 organizations use relatively primitive methods to manage risk while Tier 4 organizations use relatively advanced methods. Tier 1 organizations have ineffective risk management methods, Tier 2 have informal methods, Tier 3 have structured methods, and Tier 4 have adaptive methods.

This information is used to define an organization’s Current Tier and
its Target Tier. Current Tiers are defined by selecting cybersecurity risk management practices that describe its current status: its “as is” state.
Target Tiers are defined by selecting cybersecurity risk management
practices that describe its preferred status: its “to be” state. These
Tier definitions are then used to identify cybersecurity risk
management implementation gaps.

For more information, see our Detailed Implementation Tiers.


MORE NIST CYBERSECURITY PAGES

Overview of NIST Cybersecurity Framework

Structure of NIST Cybersecurity Framework

Cybersecurity Framework in Plain English

How to Create a Cybersecurity Program

Cybersecurity Implementation Tiers

Cybersecurity Privacy Principles

Cybersecurity Audit Checklist

Cybersecurity Audit Tool

Home Page

Our Library

A to Z Index

Customers

How to Order

Our Products

Our Prices

Guarantee

Praxiom Research Group Limited          help@praxiom.com          780-461-4514

Updated on March 31, 2020. First published on January 29, 2020.

Legal Restrictions on the Use of this Page
Thank you for visiting this web page. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2020 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research
        Group Limited