NIST Cybersecurity Framework

A 10 Minute Guide to the NIST

Cybersecurity Framework

This white paper offers an executive introduction to the National Institute of Standards and
Technology’s (NIST) Cybersecurity Framework1, which is a comprehensive guide to managing
cybersecurity for an entire organization. The framework is both a technical reference and
a management guide. The latter means that parts of it apply to, and require the attention of,
an organization’s senior management. Unfortunately, the technical depth and breadth necessary
to cover such a broad and complex topic can make the documents intimidating. Gaining
an understanding of the framework’s terms and concepts will help executives interface more
effectively with employees, clients, and vendors as they apply this framework.

ThreatSketch®
business solutions for cyber risk

© Threat Sketch, LLC - All rights reserved.

Redistribution without written permission is prohibited.

1 The official title is Framework for Improving Critical Infrastructure Cybersecurity, but it is referred to informally as the NIST Cybersecurity Frame-
work, or simply the framework.

T 844-487-4757 [844-ITRISKS] | threatsketch.com | rob@threatsketch.com Page 1

NIST Cybersecurity Framework

Terminology and Concepts and to develop detailed procedures? When a company’s

The NIST Cybersecurity Framework serves as both a
guideline for business owners and a reference manual
that points to external resources that contain more detail.
Those responsible for implementing cybersecurity solu-
tions will use the framework extensively as a reference
manual. Executives will use it more often as a management
guide for setting goals, measuring progress, and establish-
ing a connection between an organization’s mission-driven
strategy and low-level objectives.
top leadership is tasked with establishing culture, the Tiers
can help communicating expectations.
The Tiers help communicate with supply chain partners
too. When negotiating with clients and vendors, the Tiers
help articulate and frame expectations. They also offer
another dimension on which vendors and suppliers can be
compared to each other.
Functions

Tiers Collectively known as the Core, the detail of the frame-

The NIST Cybersecurity Framework aims to transform an
organization from an ad hoc, reactive posture to a level
of managed adaptability. The framework expresses this
progression as four tiers, the last of which embodies the
pinnacle of strategic cyber risk management.
Tier 1: Partial – This describes an organization with a reac-
tive posture, one that lacks strategic awareness and coor-
dinates with no other entities. Businesses in this tier ignore
cyber risk in their own supply chain and do not recognize
the risk they pose to the supply chain of others.
Tier 2: Risk Informed – At this level management begins to
take a limited, authoritative role. Organizational leaders are
aware of threats, but have not fully tied them to strategy. The
organization is aware of cyber risks in the supply chain and
its position in the larger ecosystem, but has not taken any
steps toward managing risks outside of the organization.
Tier 3: Repeatable – At this level, risk management is a
formal policy driven from the top of the organization. Risks
are monitored and measured by each operating unit of the
business. Information about risks is exchanged with the
larger ecosystem, and supply chain issues are addressed
via management-approved policies and procedures.
work is organized into five Functions. The sequence pro-
vides a hint as to the order in which each function should
be tackled. The definitions for each function are:
• Identify – Develop the organizational under-
standing to manage cybersecurity risk to sys-
tems, assets, data, and capabilities.
• Protect – Develop and implement the appro-
priate safeguards to ensure delivery of critical
infrastructure services.
• Detect – Develop and implement the appropriate
activities to identify the occurrence of a cyberse-
curity event.
• Respond – Develop and implement the appropri-
ate activities to take action regarding a detected
cybersecurity event.
• Recover – Develop and implement the appropri-
ate activities to maintain plans for resilience and
to restore any capabilities or services that were
impaired due to a cybersecurity event.
IDENTIFY

Tier 4: Adaptive – At this point the organization is in a

constant state of learning. It adapts to predictive issues as
1
PROTECT
well as real-time events. Business strategy and risk man-
agement objectives are clearly connected. Cyber risk is
managed as a business/financial problem at the executive 2
level. The organization is an active participant in sharing DETECT
information and lessons with the larger ecosystem, and
relationships with supply chain partners are formalized
through agreements and proactive communication.
3
RESPOND
These Tiers provide very long-term milestones. Knowing
where the organization currently stands and leading to- 4
ward the next Tier is an executive function. Tiers also help
RECOVER
shape culture and attitude among employees. For exam-
ple, is it enough to identify and react to cybersecurity is-
sues in the moment, or is it the expectation that deliberate 5
effort is made to think ahead and make informed decisions

T 844-487-4757 [844-ITRISKS] | threatsketch.com | rob@threatsketch.com Page 2

NIST Cybersecurity Framework

Categories, Subcategories, do in order to say “yes” to this statement in the future.

and Informative References
The Functions described above are broken into twenty-
three Categories and over one hundred Subcategories.
A brief description of each is given in the framework.
Subcategories also contain declarative statements and
external references to address individual topics.
Continuing the above example, the framework provides
the following Informative References for ID.RA-5:
• COBIT 5 APO12.02
• ISO/IEC 27001:2013 A.12.6.1
• NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16

Declarative statements are statements of fact such as:
“Jack runs.” Someone may conclude that a given statement
is true (Jack is indeed running), false (Jack is standing still),
or somewhere in between (Jack is jogging). With that in
mind, let’s look at an example:
Unfortunately, not all of the external reference material is
free. Some of the information is only available with mem-
bership, licences, or purchases from specific organizations.
Others, like the NIST’s own Special Publications (SP 800-
x), are free.

ID.RA-5: Threats, vulnerabilities, likelihoods,
and impacts are used to determine risk
The identifier ID.RA-5 designates this as an IDentify Func-
tion in the Risk Assessment Category addressing Subcate-
gory number 5. The declarative statement is then evaluat-
ed by simply thinking about the statement, or discussing it
with a team, to decide if it is true for the organization. If the
answer is false or unsure, then one should read the Infor-
mative References to figure out how to make it true.
Informative References refer to specific sections of a pub-
lication that further describe what an organization might
Busy executives often just want to know which products
and services they need to buy. The framework does not
give product level information, primarily because doing so
would violate government policies regarding the endorse-
ment of commercial interests. Despite this, it does pro-
vide a wealth of advice to help make informed purchase
decisions.
Figure 1 is a snapshot of the framework’s Core, which
shows how Functions, Categories, Subcategories, and In-
formative References are organized. The full layout is more
easily browsed in spreadsheet form, which is available on
the NIST’s website.

Figure 1 – A section of the NIST Cybersecurity Framework Core (v1.1 DRAFT).

In theory, a Tier 4 organization would give a definitive “yes” to every declarative statement in every Subcategory. However,
the NIST recognizes that not every item applies to every organization. It is also true that what is sufficient to say “yes” for one
company may be insufficient for another. This is another way the NIST built flexibility into the framework.

T 844-487-4757 [844-ITRISKS] | threatsketch.com | rob@threatsketch.com Page 3

NIST Cybersecurity Framework
Profiles
A pass through all of the Subcategories answering Yes,
No, Partial, Unsure, or Not Applicable to each is what the
framework refers to as a Profile. A Profile allows an organi-
zation to take a baseline snapshot of where it stands. The
NIST recommends using this baseline to identify which ar-
eas need improvement. It may help to think about baseline
and target Profiles like an actual and a projected budget.
However, budgeting is just a helpful metaphor. The frame-
work provides no formula for budgeting.
Keep in mind that Profile items are not weighted equally.
Seventy yes’s on a Profile might indicate good risk man-
agement practices, or it could mean the organization is still
very exposed. To understand relative importance, Profile
results need context. The framework provides guidance for
developing context in these Identity (ID) subcategories:
• Risk Management Strategy (ID.RM): The organi-
zation’s priorities, constraints, risk tolerances, and
assumptions are established and used to support
operational risk decisions.
• Risk Assessment (ID.RA): The organization un-
derstands the cybersecurity risk to organizational
operations (including mission, functions, image,
or reputation), organizational assets, and individ-
uals.
• Governance (ID.GV): The policies, procedures,
and processes to manage and monitor the organi-
zation’s regulatory, legal, risk, environmental, and
operational requirements are understood and
inform the management of cybersecurity risk.
Executives at large companies will have an easier time
digesting the reference material for these three catego-
ries than their small business counterparts. At times the
reference material can be more elaborate than is practical
for small organizations. Owners and executives of smaller,
resource-constrained organizations need a slightly differ-
ent approach, one that looks at budgets and management
of cybersecurity with their specific needs in mind. For this
audience, the book Cybersecurity: A Business Solution* is
a great resource. It offers a concise, step-by-step approach
to managing risk. It explains what risk assessments are and
shows how to use them to establish priorities and budgets.
It also provides a more in-depth discussion of the role
executives play in managing cyber risk through compa-
ny culture, vendor relationships, etc., and other strategic
contributions.
2 “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” White House, Office of the Press Secretary,
May 11, 2017, https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal
3 “2013 Trustwave Global Security Report,” Trustwave Document Library. https://www.trustwave.com/Resources/Library/Documents/2013-Trustwave-Global-
Security-Report/
T 844-487-4757 [844-ITRISKS]
Conclusion
Adopting the NIST Cybersecurity Framework is a great
way to protect your company from cyber attack. In addition
to being a comprehensive technical reference for solving
specific problems, it offers executives a way to:
• Establish and communicate company wide goals
and cultural standards.
• Monitor status and measure progress toward a
larger goal.
• Connect baselines and targets to the organiza-
tional mission and strategic goals.
Even if your organization takes a different approach to
managing cyber risk, you will at some point encounter the
NIST Cybersecurity Framework as a government, industry,
or client-driven mandate. All U.S. Government agencies are
required to adopt this standard2, which also applies to any-
one doing business with them. Over time, anyone doing
business with the U.S. government will need to demon-
strate compliance with the framework.
In the private sector, large companies are demanding proof
of good cybersecurity stewardship. This is because 63
percent of attacks on large companies have been traced
back to vendors in their supply chain3. In some cases,
companies are banding together to develop and enforce
industry wide regulations. Healthcare, payment card pro-
cessing, and banking are examples of this. In other cases,
large companies are demanding good cybersecurity
practices directly from all of their suppliers as a condition
of doing business. Small companies that can provide proof
of cybersecurity stewardship can win more business and
charge a premium in some cases.
The NIST Cybersecurity Framework is the most universal
solution to meet government and private sector demands.
Whatever brings executives into contact with the frame-
work, having a solid understanding of the terminology and
the concepts will improve communication with employees,
clients, and vendors when evaluating and adopting the
NIST Cybersecurity Framework.
For more information, please visit our website:
ThreatSketch.com
*For a preview the book, please visit:
cybersecurityabusinesssolution.com
| threatsketch.com | rob@threatsketch.com Page 4