In response to Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” the National Institute of Standards and Technology (NIST) published the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework or CSF). The CSF is designed to drive an organization’s cybersecurity efforts through a risk-based management process. It contains a set of requirements hierarchically structured into Functions, Categories, and Subcategories, as well as Informative References which point to other security frameworks such as ISO 27001, NIST SP 800-53, and COBIT.The overall framework is structured into three parts:
- The Framework Core: A set of cybersecurity requirements, desired outcomes, and the Informative References which guide implementation of security controls Framework
- Implementation Tiers: Describe a level of achievement in an organization’s approach to cybersecurity risk assessment and management, representing maturation from informal, reactive processes to risk-driven proactive ones. They range from Partial (Tier 1) to Adaptive (Tier 4).
- Framework Profile: Represents the state of an organization’s cybersecurity efforts based on analysis against the Framework Categories and Subcategories. A Current Profile is created to judge the organizations as-is state, and a Target Profile is created to identify gaps, opportunities, and the desired outcome of cybersecurity improvement efforts.