This Framework was released April 16, 2018 and focuses on using business drivers to guide cybersecurity activities and consider cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts:
- Framework Core
A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous functions: identify, protect, detect, respond, and recover. When considered together, these functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The Framework Core then identifies underlying key categories and subcategories—which are discrete outcomes—for each function, and matches them with example informative references such as existing standards, guidelines, and practices for each subcategory/metrics for risk management.
- Framework Implementation Tiers
Framework implementation tiers provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These tiers reflect a progression from informal, reactive responses to approaches that are agile and risk informed. During the tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.
- Framework Profile
The Framework profile represents the outcomes based on business needs that an organization has selected from the Framework categories and subcategories. The profile can be characterized as the alignment of standards, guidelines, and practices to the Framework core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “current” profile (the “as is” state) with a “target” profile (the “to be” state). To develop a profile, an organization can review all of the categories and subcategories and, based on business/mission drivers and a risk assessment, determine which are most important; it can add categories and subcategories as needed to address the organization’s risks. The current profile can then be used to support prioritization and measurement of progress toward the target profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations.
