The NIST Cybersecurity Framework comprises the Core, the Profile, and the Implementation Tiers.
The Core is the set of cybersecurity activities, controls, and outcomes common to all organizations. The Profile is an organization-specific adaptation of the Core that considers the organization’s risk tolerance, business needs, and legal and regulatory requirements. The Implementation Tiers are a set of maturity levels that describe how an organization has implemented the Cybersecurity Framework.

The Core

The Core is organized around five Functions: Identity, Protect, Detect, Respond, and Recover. Each Function is further broken down into Categories and Subcategories that describe specific cybersecurity activities. Let’s discuss each element in a broader context.

Identify: The Identify Function aims to understand the organization’s risk environment and identify the assets that need to be protected. This includes understanding the organization’s business processes, identifying the critical data, and the potential threats and vulnerabilities that could impact those assets.

Protect: Protecting the organization’s assets from unauthorized access, use, or disclosure. This requires the implementation of security controls, which can be either technical or non-technical. Technical controls are firewalls and intrusion detection systems, while non-technical controls include employee training and security policies.

Detect: The goal of the Detect Function is to identify cybersecurity events that have occurred. This can be done through the use of security logs, intrusion detection systems, and other monitoring tools.

Respond: When a cybersecurity event has been detected, the Respond Function kicks in. The goal here is to contain the event and minimize the damage that has been done. This may involve disconnecting affected systems from the network, activating incident response plans, and notifying law enforcement.

Recover: The Recover Function aims to restore normal operations and bring affected systems back online. This includes backing up data, implementing disaster recovery plans, and patching systems to prevent future incidents.

The Profile

The Profile is a customized version of the Core that takes into account an organization’s risk tolerance, business needs, and legal and regulatory requirements. The Profile identifies which cybersecurity activities are most important to the organization and how they should be implemented.

The Implementation

The Implementation Tiers describe an organization’s maturity level concerning the Cybersecurity Framework. There are four Tiers: Partial, Risk-Informed, Repeatable, and Adaptive. The higher the Tier, the more mature the organization’s cybersecurity program is.

Partial: The organization has partially implemented the Cybersecurity Framework.

Risk-Informed: The organization has implemented the Cybersecurity Framework in a way that is informed by understanding its cybersecurity risks.

Repeatable: The framework has been implemented in a way that is repeatable and scalable.

Adaptive: The organization has implemented the Cybersecurity Framework in a way that is adaptive to changes in the organization’s cybersecurity risks.

The NIST Cybersecurity Framework is flexible and adaptable guidance that organizations of all sizes and industries can use. It is not a one-size-fits-all solution but a framework that can be customized to meet an organization’s specific needs.

The framework further guides how to select and implement security controls from NIST Special Publication 800-53, a catalog of security controls for information systems and organizations. These security controls are divided into 17 families, each of which addresses a specific security area. For example, the Access Control family includes controls that help prevent unauthorized access to systems and data. The Awareness and Training family has controls that ensure users know security risks and how to protect themselves. The 17 families include:
– Access Control
– Audit and Accountability
– Awareness and Training
– Configuration Management
– Contingency Planning
– Identification and Authentication
– Incident Response
– Maintenance
– Media Protection
– Physical and Environmental Protection
– Planning
– Personnel Security
– Recovery
– Risk Assessment
– System and Communications Protection
– System and Information Integrity

The NIST Cybersecurity Framework is a living document that is continuously updated in response to changing threats and technologies. Organizations are encouraged to periodically review and update their Cybersecurity Framework implementation to maintain an effective cybersecurity program.

The NIST Cybersecurity Framework and ISO 27001 are two of the most popular cybersecurity frameworks today. Both guide how to implement an effective cybersecurity program, but there are some key differences between the two.

The NIST Cybersecurity Framework was developed by the National Institute of Standards and Technology (NIST) in the wake of the 2013 Target breach. It is a voluntary framework that guides how to assess and improve an organization’s cybersecurity posture.

ISO 27001 is an international standard that provides requirements for an information security management system (ISMS). Organizations that implement ISO 27001 can be certified by an accredited third party.

The NIST Cybersecurity Framework is designed to be flexible and adaptable to the specific needs of an organization. It is also designed to be used in conjunction with other security frameworks, such as ISO 27001.

The key differences between the NIST Cybersecurity Framework and ISO 27001 are:

!. Certification is optional for the NIST Cybersecurity Framework and is mandatory for ISO 27001.

2. The NIST Cybersecurity Framework is focused on improving an organization’s cybersecurity posture, while ISO 27001 is focused on establishing and maintaining an ISMS.

3. The NIST Cybersecurity Framework is generic, while ISO 27001 is specific to the Information Security Management System.

4. The NIST Cybersecurity Framework is designed to be used in conjunction with other security frameworks, while ISO 27001 can be used as a standalone framework.

5. The NIST Cybersecurity Framework is continuously updated in response to changing threats and technologies, while ISO 27001 is updated every four years.

Organizations should select the security framework that best meets their needs. Both the NIST Cybersecurity Framework and ISO 27001 are effective tools for improving cybersecurity. However, the decision of which framework to use should be based on the specific needs of the organization.

NIST Framework recommends following the seven steps below to implement cybersecurity in your organization:

1. Scope and Prioritize: Determine which systems and assets need protection and prioritize them based on the organization’s business objectives.

2. Orient and Baseline: Understand the organization’s current cybersecurity posture and risk profile.

3. Create a Current Profile: Identify the desired cybersecurity outcomes and compare them to the current state.

4. Identity, Map, and Prioritize Gaps: Conduct a risk assessment to identify gaps in the organization’s cybersecurity posture.

5. Implement Risk Mitigation Strategies: Select and implement appropriate risk mitigation strategies.

6 Assessment: Regularly assess the organization’s cybersecurity posture to ensure that risk mitigation strategies are effective and up-to-date.

7. Communicate: Inform relevant stakeholders of the organization’s cybersecurity posture and risk profile.