NIST CYBERSECURITY FRAMEWORK

1. Introduction
National Institute of Standards and Technology (NIST) Cyber Security Framework provides for comprehending, managing, and expressing cybersecurity risk to internal and external stakeholders. This framework provides us a wide variety of ways to feed the unique cybersecurity needs of organizations. The framework provides a common mechanism for organizations to describe current cybersecurity posture, describe the target state for cybersecurity, assess progress towards the target state. Communicate among internal and external stakeholders about cybersecurity risk.

2. Framework Overview
The risk-based approach put forward by the framework to handle cybersecurity risks is composed of three parts:

• Framework Core
  The Core contains industry standards, guidelines, and practices that allow for communication of cybersecurity activities between executive level and implementation/operations level. The Framework Core consists of five continuous functions- Identify, Protect, Detect, Respond, Recover.
• Framework Implementation Tiers
  Tiers define the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework. They characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4).
• Framework Profile
  The Profile aligns the standards, guidelines, and practices to the Core in an implementation scenario. Profiles can be characterized as Current Profile (“as is “ state ), a Target profile (“to be” state). These profiles are further used for the measurement of progress.

3. Framework Components
In this section, we will explain in detail the 3 components of the NIST framework:

• Framework Core
  The Core is not a checklist of actions to perform; rather, it mentions key cybersecurity outcomes identified as helpful in managing cybersecurity risk. The Core comprises of three functions as mentioned below:
  1. Functions
     Functions express management of cybersecurity risks, enabling risk management decisions, addressing threats, etc. of an organization. These functions are:
     • Identify
       Identify the organization’s capabilities to manage
       Cybersecurity risk to systems, people, assets,  data.Examples of outcome categories are Asset Management, Governance, Risk Assessment, etc.
     • Protect
       Protect and ensure the delivery of critical services by developing and implementing the required safeguards.
       Examples of outcome categories include Awareness and training, Data Security, Identity Management, and Access Control.
     • Detect
       Detect the occurrence of a cybersecurity event by implementing appropriate measures. Examples of outcome categories are Anomalies and Events, Security Continuous Monitoring, and Detection Processes.
     • Respond
       Respond to a detected cybersecurity incident and develop and implement appropriate activities. Examples of outcome categories are Communications, Analysis, Mitigation, and Improvements.
     • Recover
       Recover and restore any services that were affected by any cybersecurity incident. Examples of outcome categories are Recovery Planning, Improvements, and Communications.
  2. Categories
     Functions are further grouped into cybersecurity outcomes closely tied to programmatic needs and particular activities.Examples of categories are Asset Management, Identity Management, and Access Control, etc.
  3. Subcategories
     Categories are further divided into outcomes of technical and/or management activities. Examples include: Data at-rest is protected. External information systems are cataloged.
  4. Informative References
     There are sections of standards, guidelines, and practices common among sectors that define a method to achieve outcomes associated with each subcategory.
• Framework Implementation Tiers
  The Tiers identify the level up to which cybersecurity risk management is informed by business needs and is integrated into an organization’s risk management activities. Tier definitions are as follows:
  1. Tier 1: Partial
     • Risk Management Process
       Risk Management processes are not approved and executed as a policy. Cybersecurity activities are notprioritized by business requirements and are not informed by organizational risk objectives, threat environment, etc.
     • Integrated Risk Management Program
       Limited Awareness of cybersecurity risks at organizational level with an implementation of risk management on a case by case basis.
     • External Participation
       The organization does not share or receive information from other entities and is unaware of cyber risks possessed by its products and services.
  2. Tier 2: Risk-Informed
     • Risk Management
       Risk management practices are approved but are not formulated as an organization-wide policy. Prioritisation of activities is directly dependent on organizational risk objectives, the threat environment, or business/mission requirements.
     • 
       Integrated Risk Management Program
       There is Awareness of cybersecurity risks at the organizational level, but an organization-wide approach to risk management is missing. Cybersecurity information is shared informally.
     • External Participation
       The organization receives information from external entities and generates some of its own information, but does not share information with others.
  3. Tier 3: Repeatable
     • Risk Management Process
       Risk Management processes are approved as policy. They are regularly updated based on changing business requirements.
     • Integrated Risk Management Program
       An organization-wide approach to manage cybersecurity risks in implemented with defined risk-informed policies, procedures, and processes.
     • External Participation
       Organization shares and receives information from other entities regularly. It is aware of the risks associated with products and services it provides and uses.
  4. Tier 4: Adaptive
     • Risk Management
       Cybersecurity practices are based on lessons learned from current and previous cybersecurity activities. Thus, the organization adapts to changing threats and technology updates and responds in an effective manner.
     • Integrated Risk Management Program
       Cybersecurity risks are monitored in a similar way as any other risk in an organization. Cybersecurity risks are managed using organization widely implemented risk-informed policies, processes, and procedures.
     • External Participation
       The organization receives, generates, and reviews prioritized information to provide information about risks as threats and technology make progress. The organization shares information internally as well as externally with other collaborators.
  5. Framework Profile
     The Framework Profile is an arrangement of Functions, Categories, and Subcategories on the basis of business demands, risk tolerance, and resources of the organization. It helps organizations to reduce cybersecurity risks that affect the organization’s goals. Many organizations may choose multiple profiles based on their needs.
     The current Profile indicates outcomes that are being achieved, and the Target profile indicates outcomes needed to be achieved. These profiles can be compared to indicate gaps to be addressed to meet cybersecurity objectives.

4. Coordination of Framework Implementation

• Commonly the flow of information is between the following levels in an organization
  • Executive
  • Business/Process
  • Implementation/Operations

Writer: Kunal Babbar in the mentorship of Karan Srivastava