Figure 0.1 NIST CORE FRAMEWORK.
Within each of these functions are categories of activities. Within each category of activities are subcategories, and for each subcategory, there are informative references, usually standards, for helping to support the activities (Figure 0.2).
Figure 0.2 NIST CATEGORIES, SUBCATEGORIES, AND INFORMATIVE REFERENCES.
For example, one category under the function Identify is Asset Management (Figure 0.3). A subcategory of Asset Management is “Physical devices and systems within the organization are inventoried.” For that subcategory, the Framework offers informative references that guide physical devices’ inventory, mostly standards established by various technical standards-setting bodies. The complete listing of the Functions, Categories, Subcategories, and Informative References are in Appendix A of the final Framework Document on the NIST website.6
Figure 0.3 NIST FUNCTIONS AND CATEGORIES.
Although some organizations find the Framework Core, Categories, and Subcategories to be daunting, NIST intends them to be resources from which certain elements can be selected or examined, or used depending on the organization’s unique configuration. NIST does not intend it to serve as a checklist of required activities. Nor are the Functions “intended to form a serial path, or lead to a static desired end state.”
FRAMEWORK IMPLEMENTATION TIERS
The Framework Implementation Tiers consist of four levels of “how an organization views cybersecurity risk and the processes in place to manage that risk.” Although the levels are progressive in terms of rigor and sophistication from Tier 1 (partial) to Tier 4 (Adaptive), they are not “maturity” levels in terms of cybersecurity approaches. NIST based successful implementation on the outcomes described in the organization’s Target Profiles (see the next section) rather than a progression from Tier 1 to Tier 4.
The final Framework document describes the implementation tiers in more detail, but the following is a summary of the four tiers, modified from NIST’s description (Figure 0.4):
Tier 1: Partial – Risk is managed in an ad hoc and sometimes reactive manner. There is limited awareness of cybersecurity risk at the organizational level with no organization-wide approach to cybersecurity. The organization may not have the processes in place to participate in coordination or collaboration with other entities.
Tier 2: Risk-Informed – Management approves risk management practices, but they may not be an organization-wide policy. There is awareness of cybersecurity risk at the organization level. Still, an organization-wide approach has not been established, and the organization understands the broader ecosystem but has not formalized its participation in it.
Tier 3: Repeatable – The organization’s risk management practices are approved and formally adopted as policy. There is an organization-wide approach to risk management. The organization collaborates with and receives information from partners in the wider ecosystem.
Tier 4: Adaptive – The organization adapts its cybersecurity practices from lessons learned. Cybersecurity risk management uses risk-informed policies, procedures, and processes and is part of the organizational culture and the organization actively shares information with partners.
Figure 0.4 NIST IMPLEMENTATION TIERS.
FRAMEWORK PROFILE
The Framework Profile is a blueprint or map that considers the Framework’s functions, categories, and subcategories for a specific purpose tailored to the organization’s needs. Organizations should develop profiles for current or desired cybersecurity objectives, and some organizations can create multiple profiles for different segments or aspects of the organization.
No template for what a profile should look like exists because Framework users should tailor their profiles to their organizations’ specific needs. As NIST points out, there is no right or wrong way to develop a profile. As Figure 0.5 illustrates, the factors that could go into a profile are an organization’s business objectives, threat environment, requirements, and controls, all of which create a cybersecurity profile unique to that organization.
Figure 0.5 NIST FRAMEWORK RISK MANAGEMENT CYCLE.
The profiles’ vital aspect compares where an organization is currently and where an organization wishes to be – its target. As NIST states in the Framework document, “this risk-based approach enables an organization to gauge resource estimates (e.g. staffing, funding) to achieve cybersecurity goals in a cost-effective, prioritized manner.”7
OTHER ASPECTS OF THE FRAMEWORK DOCUMENT
Although the Core, Tiers, and Profiles are the most critical parts of the Framework, the document released in February 2014 and updated in 2018 also contains other useful pieces of information, including tips on using the Framework and advice on communicating the importance of the Framework to stakeholders.
RECENT DEVELOPMENTS AT NIST
In response to a series of damaging and high-profile cyberattacks involving Chinese state-sponsored threat actors and Russian ransomware operators, President Joe Biden released a wide-ranging and ambitious executive order (EO) on May 12, 2021, the President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028). The EO assigns NIST several complex tasks that reshape U.S. cybersecurity policy and requirements. They also elevate the foundational importance of the NIST cybersecurity framework’s core functions of identifying, protecting, detecting, responding, and recovering. (See https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity).
As of this book’s publication date, many of these NIST mandates are still in process. In addition, it’s important to note that any requirements coming out of the EO apply only to federal government agencies and their contractors. But, under the theory that most of the world’s leading tech companies are also major suppliers to the federal government, it’s likely that the EO and the NIST requirements would ultimately have spill-over effects for private sector organizations.
The NIST assignments in the EO include:
Developing guidance to help agencies achieve “zero-trust” architecture. Zero-trust is the latest trend in cybersecurity that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses,” according to the
