Overview
The NIST Cybersecurity Framework (CSF) is a voluntary framework consisting of standards, guidelines, and best practices to manage cybersecurity-related risk. It provides a common language for understanding, managing, and expressing cybersecurity risk both internally and externally.
Core Functions
- Identify: Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities
- Protect: Develop and implement appropriate safeguards to ensure delivery of critical infrastructure services
- Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event
- Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity event
- Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
Implementation Tiers
- Tier 1 - Partial: Risk management practices are not formalized, and risk is managed in an ad hoc manner
- Tier 2 - Risk Informed: Risk management practices are approved by management but may not be established as organizational-wide policy
- Tier 3 - Repeatable: Risk management practices are formally approved and expressed as policy
- Tier 4 - Adaptive: Organization adapts its cybersecurity practices based on lessons learned and predictive indicators
Profile Development
- Current Profile: Assessment of current cybersecurity activities
- Target Profile: Desired cybersecurity outcomes
- Gap Analysis: Comparison of current and target profiles
- Action Plan: Roadmap to achieve target profile
