Scribd Logo
Upload

Welcome to Scribd!

  • An Introduction To The Components of The Framework - NIST

    Uploaded by

    Patricia Fillips
    38 views7 pages
    An Introduction to the Components of the Framework _ NIST

    Original Title

    An Introduction to the Components of the Framework _ NIST

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    An Introduction to the Components of the Framework _ NIST

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    38 views7 pages

    An Introduction To The Components of The Framework - NIST

    Uploaded by

    Patricia Fillips
    An Introduction to the Components of the Framework _ NIST

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    5/25/2021 An Introduction to the Components of the Framework | NIST

    https://www.nist.gov/cyberframework/online-learning/components-framework

    Cybersecurity Framework (https://www.nist.gov/cyberframework)

    An Introduction to the Components


    of the Framework
    Overview

    The Introduction to the Components of the Framework page presents readers with an
    overview of the main components of the Framework for Improving Critical
    Infrastructure Cybersecurity ("The Framework") and provides the foundational
    knowledge needed to understand the additional Framework online learning pages. If
    you're already familiar with the Framework components and want to learn more
    about how industry is using the Framework, see Uses and Benefits of the Framework
    (https://www.nist.gov/cyberframework/uses-and-benefits-framework).

    Framework Components

    The Cybersecurity Framework consists of three main components:

    Framework Core

    Implementation Tiers

    Profiles

    https://www.nist.gov/cyberframework/online-learning/components-framework 1/7
    5/25/2021 An Introduction to the Components of the Framework | NIST

    Framework Core

    The Core is a set of desired cybersecurity activities and outcomes organized into
    Categories and aligned to Informative References. The Framework Core is designed
    to be intuitive and to act as a translation layer to enable communication between
    multi-disciplinary teams by using simplistic and non-technical language. The Core
    consists of three parts: Functions, Categories, and Subcategories. The Core includes
    five high level functions: Identify, Protect, Detect, Respond, and Recover. These 5
    functions are not only applicable to cybersecurity risk management, but also to risk
    management at large. The next level down is the 23 Categories that are split across
    the five Functions. The image below depicts the Framework Core's Functions and
    Categories.

    https://www.nist.gov/cyberframework/online-learning/components-framework 2/7
    5/25/2021 An Introduction to the Components of the Framework | NIST

    The Categories were designed to cover the breadth of cybersecurity objectives for an
    organization, while not being overly detailed. It covers topics across cyber, physical,
    and personnel, with a focus on business outcomes.

    Subcategories are the deepest level of abstraction in the Core. There are 108
    Subcategories, which are outcome-driven statements that provide considerations for
    creating or improving a cybersecurity program. Because the Framework is outcome
    driven and does not mandate how an organization must achieve those outcomes, it
    enables risk-based implementations that are customized to the organization's needs.

    https://www.nist.gov/cyberframework/online-learning/components-framework 3/7
    5/25/2021 An Introduction to the Components of the Framework | NIST

    The five Subcategories pictured from the Business Environment Category (ID.BE)
    provide an example of the outcome focused statements that are found throughout the
    core. The column to the right, Informative References support the Core by providing
    broad references that are more technical than the Framework itself. Organizations
    may wish to use some, none, or all of these references to inform the activities to
    undertake to achieve the outcome described in the Subcategory.

    For more information regarding the Informative References, see the Informative
    References Learning Module (https://www.nist.gov/cyberframework/online-
    learning/informative-references).

    Framework Implementation Tiers

    Tiers describe the degree to which an organization’s cybersecurity risk management


    practices exhibit the characteristics defined in the Framework. The Tiers range from
    Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor, and
    how well integrated cybersecurity risk decisions are into broader risk decisions, and
    the degree to which the organization shares and receives cybersecurity info from
    external parties.

    https://www.nist.gov/cyberframework/online-learning/components-framework 4/7
    5/25/2021 An Introduction to the Components of the Framework | NIST

    Tiers do not necessarily represent maturity levels. Organizations should determine


    the desired Tier, ensuring that the selected level meets organizational goals, reduces
    cybersecurity risk to levels acceptable to the organization, and is feasible to
    implement, fiscally and otherwise.

    Framework Profiles

    Profiles are an organization's unique alignment of their organizational requirements


    and objectives, risk appetite, and resources against the desired outcomes of the
    Framework Core. Profiles can be used to identify opportunities for improving
    cybersecurity posture by comparing a “Current” Profile with a “Target” Profile.

    https://www.nist.gov/cyberframework/online-learning/components-framework 5/7
    5/25/2021 An Introduction to the Components of the Framework | NIST

    Profiles are about optimizing the Cybersecurity Framework to best serve the
    organization. The Framework is voluntary, so there is no ‘right’ or ‘wrong’ way to do
    it. One way of approaching profiles is for an organization to map their cybersecurity
    requirements, mission objectives, and operating methodologies, along with current
    practices against the subcategories of the Framework Core to create a Current-State
    Profile. These requirements and objectives can be compared against the current
    operating state of the organization to gain an understanding of the gaps between the
    two.

    The creation of these profiles, and the gap analysis allows organizations to create a
    prioritized implementation plan. The priority, size of gap, and estimated cost of the
    corrective actions help organizations plan and budget for cybersecurity improvement
    activities.

    https://www.nist.gov/cyberframework/online-learning/components-framework 6/7
    5/25/2021 An Introduction to the Components of the Framework | NIST

    For an expanded explanation of the Framework components or the Framework


    implementation process, see the 7 steps in the Framework Document
    (https://doi.org/10.6028/NIST.CSWP.04162018). Also, for examples of Framework Profiles,
    please review the following Resources (https://www.nist.gov/cyberframework/examples-
    framework-profiles).

    Additional Resources
    Components_of_Cybersecurity_Framework.pptx
    (https://www.nist.gov/document/componentsofcybersecurityframeworkpptx)

    Information technology (https://www.nist.gov/topic-terms/information-technology) and


    Cybersecurity (https://www.nist.gov/topic-terms/cybersecurity)
    Created February 6, 2018, Updated May 14, 2021

    https://www.nist.gov/cyberframework/online-learning/components-framework 7/7

    You might also like