The NIST cybersecurity

framework
Select this paragraph to edit
Introduction
• The National Institute of Standards and Technology is a non
regulatory agency within the U.S Department of Commerce founded
in 1901.
• It is a set of guidelines and best practices to help organizations build
and improve their cyber security posture. The framework addresses
the lack of standards when it comes to cyber security and provides
guidelines , uniform set of rules, and standards for organizations to
use across industries. The framework is currently on version 2.0 and it
includes three components, the core, implemental tiers and profiles.
The NIST CSF includes various model documents like NIST SP 800-12,
NIST SP 800-14, NIST SP 800-18, NIST SP 800-26, NIST SP 800- 30.
NIST security models
• These are the security telecommunications and information systems
security committee document that presents a comprehensive model for
information security.
• The following are some of the NIST documents which can help in the design
of a security frame work. These documents are from the NIST computer
security resource center.
1. NIST SP 800-12: It provides an introduction to computer security .
2. NIST SP 800-14: It provides security principles and practices for securing
IT systems.
3. NIST SP -800-18: It provides the guide for developing security plans for IT
systems.
4. NIST SP -800-26: For security self assessment guide for IT systems.
5. NIST SP 800- 30: For risk management for IT systems.
The core functions
• The core function is the first NIST framework component. It includes guidance information and
cybersecurity activities. The core includes 5 high level functions; identify, protect, detect, respond,
recover.
• Identify: It includes the following activities
Identifying physical and software assets to establish the basis of an asset management
program.
Identifying the organization’s business environment including its role in the supply chain.
Identifying established cybersecurity policies to define the governance program as well as
identifying legal and regulatory requirements regarding the cybersecurity capabilities of the
organization.
Identifying asset vulnerabilities, threats to internal and external organizational resources, and
risk response activities to assess risk.
Establishing a risk management strategy including identifying risk tolerance.
Identifying a supply chain risk management strategy including priorities, constraints, risk
tolerances, and assumptions used to support risk decisions associated with managing supply
chain risks.
 Protect
• The Protect function outlines appropriate safeguards to ensure
delivery of critical infrastructure services and supports the ability to
limit or contain the impact of a potential cybersecurity event. Critical
activities in this group include:
• Implementing protections for Identity Management and Access
Control within the organization including physical and remote access
• Empowering staff through security awareness training including role
based and privileged user training
• Establishing data security protection consistent with the
organization’s risk strategy to protect the confidentiality, integrity, and
availability of information
• Implementing processes and procedures to maintain and manage
the protections of information systems and assets
• Protecting organizational resources through maintenance, including
remote maintenance activities
• Managing technology to ensure the security and resilience of
 Detect .
• Detecting potential cybersecurity incidents is critical and this function defines the appropriate
activities to identify the occurrence of a cybersecurity event in a timely manner. Activities in
this function include:
• Ensuring anomalies and events are detected, and their potential impact is understood
• Implementing continuous monitoring capabilities to monitor cybersecurity events and verify
the effectiveness of protective measures including network and physical activities
RESPOND
• The Respond function focuses on appropriate activities to take action in case of a detected
cybersecurity incident and supports the ability to contain the impact of a potential
cybersecurity incident. The essential activities for this function include:
• Ensuring response planning process are executed during and after an incident
• Managing communications with internal and external stakeholders during and after an event
• Analyzing the incident to ensure effective response and supporting recovery activities
including forensic analysis and determining the impact of incidents
• Performing mitigation activities to prevent expansion of an event and to resolve the incident
• Implementing improvements by incorporating lessons learned from current and previous
detection / response activities
Recover
• The Recover function identifies appropriate activities to renew and
maintain plans for resilience and to restore any capabilities or
services that were impaired due to a cybersecurity incident. Timely
recovery to normal operations is impressed upon, to reduce the
impact from a cybersecurity incident. Essential activities for this
function somewhat overlap with those of Respond and include:
• Ensuring the organization implements recovery planning processes
and procedures to restore systems and/or assets affected by
cybersecurity incidents
• Implementing improvements based on lessons learned and reviews
of existing strategies
• Internal and external communications are coordinated during and
following the recovery from a cybersecurity incident
Implementation tiers. Tier levels determine how well
organizations follow the rules and recommendations of the Cyber S
ecurity Frame work, with 1 being the lowest and 4 being the highest
Tier 1: Partial
Risk Management Processes:
At Tier 1 organizations, cybersecurity risk management is typically performed ad
hoc/reactive. Furthermore, cybersecurity activities are typically performed with
little to no prioritization based on the degree of risk that those activities address.
• Integrated Risk Management Program:
The lack of processes associated with cyber risk management makes
communicating and managing that risk difficult for these organizations. As a result,
the organization works with cybersecurity risk management on a case-by-case
basis because of the lack of consistent information.
• External Participation:
These organizations lack a greater understanding of their role in the greater
business ecosystem - their position in the supply chain, dependents, and
dependencies. Without understanding where it sits in the ecosystem, a Tier 1
organization does not share information with third parties effectively (if at all). It is
generally unaware of the supply chain risks it accepts and passes on to other
ecosystem members.
Tier2: Risk informed
Risk Management Processes:
While management approves, risk management practices are typically not established as organizational-
wide policies within Tier 2 organizations. While risk management practices are not standard, they directly
inform the prioritization of cybersecurity activities alongside organizational risk objectives, the threat
environment, and business requirements.

Integrated Risk Management Program:

Awareness of cybersecurity risk exists at the organizational level but is not standardized organization-
wide, and information about cybersecurity is only shared informally. While some consideration for
cybersecurity exists in organizational objectives, it is not standard. A cyber risk assessment may occur
but is not standard and is periodically repeated.

External Participation:
Tier 2 organizations understand their role in the ecosystem regarding dependencies or dependents, but
not both. Organizations like this typically receive information but do not share it. While they know the risk
associated with their supply chain, they do not typically act on it
Tier3: repeatable
Risk Management Processes:
Tier 3 organizations have formally approved risk management practices and are expressed as policy.
These practices are regularly updated based on changes in business requirements and the changing
threat landscape.

Integrated Risk Management Program:

This tier has a higher-level organization-wide approach to managing cybersecurity risk. Risk-informed
policies, processes, and procedures are defined, implemented, and reviewed. There are methods in
place to consistently respond effectively to changes in risk, and personnel possess the knowledge and
skills to perform their roles. Senior cybersecurity, board of directors, and business-side executives
communicate regularly regarding cybersecurity events and risks.
External Participation:
Tier 3 organizations understand their role in the ecosystems and contribute to the broader understanding
of risks. They regularly collaborate with other entities that coincide with internally generated information
shared with other entities. These organizations know the risks associated with their supply chains and
act formally, including implementing written agreements to communicate baseline requirements,
governance structures, and policy implementation and monitoring.
Tier4: adaptive.
Risk Management Processes:
These organizations adapt their cybersecurity practices based on previous and current cybersecurity
activities, including lessons learned and predictive factors. They implement a continuous improvement
process - including incorporating advanced cybersecurity technologies and practices and actively adapting
to a changing threat and technology landscape.
Integrated Cyber Risk Management Program:
Building on Tier 3, Tier 4 organizations clearly understand the link between organizational objectives and
cybersecurity risk. Senior executives monitor cybersecurity risks in the same context as financial and
organizational risks. These organizations base budgeting decisions on understanding the current and
potential risk environment. Cybersecurity risk is integrated into the organizational culture and evolves from
an awareness of previous activities and continuous awareness.
External Participation:
Integrating itself further into the ecosystem beyond Tier 3, Tier 4 organizations receive, generate, and
contribute to the understanding of the ecosystem around risk. Further integration of sharing information
with internal and external stakeholders means that the organization uses real-time information to
understand and regularly act on supply chain risks. They also have a formalized process integrated into
their documentation with dependencies and dependents.
The NIST profiles
• A profile enables organization's to establish a road map for reducing cyber
security risk that aligns well with organizational sector goals, considers
legal/regulatory requirements and industrial best practices, and reflects risk
management priorities.
• Given the complexity of many organizations, they may choose to have
multiple profiles aligned with particular components and recognize their
individual needs. Framework Profiles can be used to describe the
current state or the desired target state of specific cybersecurity
activities.
• The Current Profile indicates the cybersecurity outcomes that are
currently being achieved. The Target Profile indicates the outcomes
needed to achieve the desired cybersecurity risk management goals.
• It's important here to loop in goals from all business segments, both
business and security. That way, you'll have a more well-rounded goal
set that aligns with your business's vision for the future