Components of Cybersecurity Framework
- 1. Summary: The following slides may be leveraged to present the three primary components of the Framework and how they are intended to be used. Audience: These slides are intended for an audience who is new to the Framework with no previous knowledge or understanding of its components. Learning Objectives: • Distinguish the characteristics within the four Implementation Tiers • Recognize the cybersecurity taxonomy and hierarchy within the Framework Core • Understand the goals of a Framework Profile
- 2. Components of the Cybersecurity Framework July 2018 cyberframework@nist.gov
- 3. Cybersecurity Framework Components 3 The Framework consists of 3 main components
- 5. Function Category ID What processes and assets need protection? Identify Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Supply Chain Risk Management ID.SC What safeguards are available? Protect Identity Management & Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT What techniques can identify incidents? Detect Anomalies and Events DE.AE Security Continuous Monitoring DE.CM Detection Processes DE.DP What techniques can contain impacts of incidents? Respond Response Planning RS.RP Communications RS.CO Analysis RS.AN Mitigation RS.MI Improvements RS.IM What techniques can restore capabilities? Recover Recovery Planning RC.RP Improvements RC.IM Communications RC.CO 5 Framework Core
- 6. Core: A Translation Layer 6 Senior Executives Implementation / Operations • Broad enterprise considerations • Abstracted risk vocabulary • Deep technical considerations • Highly specialized vocabulary Specialists in Other Fields • Specific focus outside of cybersecurity • Specialized or no risk vocabulary
- 7. Subcategory Informative References ID.BE-1: The organization’s role in the supply chain is identified and communicated COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2 NIST SP 800-53 Rev. 4 CP-2, SA-12 ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated COBIT 5 APO02.06, APO03.01 NIST SP 800-53 Rev. 4 PM-8 ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated COBIT 5 APO02.01, APO02.06, APO03.01 ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 NIST SP 800-53 Rev. 4 PM-11, SA-14 ID.BE-4: Dependencies and critical functions for delivery of critical services are established ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 ID.BE-5: Resilience requirements to support delivery of critical services are established COBIT 5 DSS04.02 ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1 NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14 7 Subcategories & Informative References Function Category ID Identify Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Supply Chain Risk Management ID.SC Protect Identity Management & Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT Detect Anomalies and Events DE.AE Security Continuous Monitoring DE.CM Detection Processes DE.DP Respond Response Planning RS.RP Communications RS.CO Analysis RS.AN Mitigation RS.MI Improvements RS.IM Recover Recovery Planning RC.RP Improvements RC.IM Communications RC.CO
- 8. Framework Profiles • Alignment with business requirements, risk tolerance, and organizational resources • Enables organizations to establish a roadmap for reducing cybersecurity risk • Used to describe current state or desired target state of cybersecurity activities 8
- 10. 10 …and supports on-going operational decisions, too Resource and Budget Decision Making
- 11. Framework for Improving Critical Infrastructure Cybersecurity and related news, information: www.nist.gov/cyberframework Additional cybersecurity resources: http://csrc.nist.gov/ Questions, comments, ideas: cyberframework@nist.gov Resources Where to Learn More and Stay Current
Editor's Notes
- #4: Three main components of the Framework: Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization Describes degree to which an organization’s cybersecurity risk management practices exhibit the key characteristics (e.g., risk and threat aware, repeatable, and adaptive) Tier options: Partial (Tier 1), Risk-Informed (Tier 2), Risk-Informed and Repeatable (Tier 3), Adaptive (Tier 4) Each organization will decide which tier matches its risk management needs and capabilities. It is not a race to the top. Framework Core: Cybersecurity activities and informative references, organized around particular outcomes. Enables communication of cyber risk across an organization. Consists of Functions, Categories, Subcategories, and Informative References Functions: Identify, Protect, Prevent, Respond, Recover Framework Profile: Aligns industry standards and best practices to the Framework Core in a particular implementation scenario. Supports prioritization and measurement while factoring in business needs. Helps organizations progress from current level of cybersecurity sophistication to a target improved state.
- #5: Tiers provide context on how an organization views cybersecurity risk and the processes in place to manage that risk as defined below: Risk Management Process: The functionality and repeatability of cybersecurity risk management Integrated Risk Management Program: The extent to which cybersecurity is considered in broader risk management decisions External Participation: The degree to which the organization benefits my sharing or receiving information from outside parties The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management processes, how well integrated cyber risk decisions are into broader risk decisions, and the degree to which the organization shares and receives cybersecurity info from external parties. Tiers do not represent maturity levels. Organizations should determine the desired Tier, ensuring that the selected level meets organizational goals, is feasible to implement, and reduces cybersecurity risk to levels acceptable to the organization.
- #6: The Framework Core consists of five high level functions: Identify, Protect, Detect, Respond, and Recover (IPDRR) Next level down is just 22 categories split across the 5 functions. The Core was designed to cover the entire breadth, while not being overly deep. It covers topics across cyber, physical, and personnel.
- #7: The Framework Core is designed to be intuitive. The Core can be thought of as a translation layer that takes cybersecurity and translates it to other disciplines. It uses simple language to make it accessible to all parties regardless of field or technical knowledge, while still remaining relevant to those who are technical.
- #8: Subcategories are the deepest level of abstraction in the Core. There are 97 subcategories, which are outcome-driven statements that provide considerations for creating or improving a cybersecurity program. The subcats shown are 5 from Business Environment category. The other column, is for Informative References. These informative references are broad references that are more technical than the framework itself. The Framework is designed to be coupled. So, organizations often use these control catalogs such as NIST SP800-53, COBIT, ISO 27001, etc. to obtain more technical guidance.
- #9: Alignment of Functions, Categories, and Subcategories with business requirements, risk tolerance, and resources of the organization Enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities Can be used to describe current state or desired target state of cybersecurity activities
- #10: Profiles are about optimizing the Cybersecurity framework to best serve the organization. The Framework is voluntary, so there is no ‘right’ or ‘wrong’ way to do it. This is just one way of approaching profiles. An organization can map their cybersecurity requirements, mission objectives, and operating methodologies, along with current practices against the subcategories of the Framework Core. These requirements and objectives can be compared against the current operating state of the organization to gain an understanding of the gaps between the two.
- #11: The creation of these profiles, and the gap analysis allows organizations to create a prioritized roadmap. The priority, size of gap, and estimated cost of the corrective actions help organizations plan and budget cybersecurity activities. The voluntary and flexible nature of this Framework lends it to being extremely cost effective and can be used by organizations to prioritize cybersecurity activities regardless of its budget.