Who is the NIST (National Institute of Standards and Technology):
The NIST is a federal agency within the US Department of Commerce. It was tasked in 2013 to develop a voluntary framework for reducing cyber risks to critical infrastructure.
What is the NIST Cybersecurity Framework:
This is a voluntary guidance to better manage and reduce cybersecurity risk in organizations. It was designed to promote risk and cybersecurity management communications between internal and external organizational stakeholders.
The framework was designed to be used by organizations of various types and sizes. Each of the framework components (Framework Core, Profiles, and Tiers) can be used in a variety of ways to address the needs of an organization. Some of the ways are:
- Communication with stakeholders within an organization.
- Sharing of cybersecurity expectation with business partners and suppliers.
- Mapping of the framework to current cybersecurity management processes.
- Using the framework as a planning tool to assess risk and current practices.
Framework Components and how they are used.
Framework Core:
This is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.These activities are grouped by five functions:
- Identify assets in the organization.
- Protect identified Assets in the organization.
- Detect anomalies and events.
- Respond appropriated to detected anomalies.
- Recover from anomalies.
The framework core give organizations an overview on how cybersecurity risks should be managed from the beginning to the end.
Framework Profile:
These are the cybersecurity goals an organization is aiming to achieve based on their business needs selected from the framework categories and subcategories. The profile allows an organization to determine its current cybersecurity risk level and develop a way to reduce the risks.
Framework Tiers:
These provides an organization a way to assess how it views cybersecurity and the processes in place to manage cybersecurity risks. The tiers range from Partial (Tier 1) to Adaptive (Tier 4). The tiers assist an organization in determining how closely their cybersecurity risk management processes are aligned with their business.
Overall the framework provides a plan for an organization on how to address cybersecurity risks.