1. Uses and Benefits of the
Cybersecurity Framework
July 2018
cyberframework@nist.gov
2. Uses of the Cybersecurity Framework
The Framework is designed to complement existing business and
cybersecurity operations, and can be used to:
• Understand security status
• Establish / Improve a cybersecurity program
• Communicate cybersecurity requirements with stakeholders
• Identify opportunities for new or revised standards
• Assists in prioritizing improvement activities
• Enables investment decisions to address gaps
3
3. Who should use the Framework?
The Cybersecurity Framework is for organizations of all…
• Size
• Sector
• Maturity
It’s not just for critical infrastructure!
4
4. Common Patterns of Use
The Cybersecurity Framework has helped organizations:
• Integrate the functions into your leadership vocabulary and
management tool sets.
• Determine optimal risk management using Implementation Tiers.
• Reflect on business environment, governance, and risk
management strategies.
• Develop Profiles and Roadmaps to prioritize improvement activities
6. 7
Why Use the Cybersecurity Framework?
It’s a framework, not a prescriptive standard
• Common Language
• Adaptable
• Collaboration Opportunities
• Ability to Demonstrate Due Care
• Easily Maintain Compliance
• Secure Supply Chain
• Cost Efficiency
Compliance Secure
7. For guidance on implementing the
Framework see the Resources
page:
www.nist.gov/cyberframework/fram
ework-resources-0
Framework Success Stories
highlight real world
implementation:
cyberframework@nist.gov
Resources
Where to Learn More and Stay Current
8
Editor's Notes
#3:The Framework is designed to complement existing business and cybersecurity operations, and can be used to:
Understand current cybersecurity operations through the creation of a current state profile
Establish or Improve a cybersecurity program regardless of maturity by reducing risk
Communicate cybersecurity requirements with stakeholders – including suppliers and partners
Identify opportunities for new or revised standards
Assists in prioritizing improvement activities (gap assessment)
Enables investment decisions to address gaps
Additionally, the Framework can help:
Identify tools and technologies to help organizations use the Framework
Integrate privacy and civil liberties considerations into a cybersecurity program
#4:Can be used by organizations regardless of size or sector.
Framework was designed with CI in mind, but is extremely versatile and can easily be used by non-CI organizations
Still provides value to mature programs, or can be used by organizations seeking to create a cybersecurity program. The framework complements, and does not replace, an organization’s risk management process and cybersecurity program. It can be used to leverage current processes and to identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices.
Additionally, the Framework incorporates international standards and can be voluntarily used in or outside the United States
#6:The Framework helps guide key decision points about risk management activities through the various levels of an organization from senior execs, to business and process level, to implementation and operations.
The executive level communicates the mission priorities, available resources, and overall risk tolerance to the business/process level. The business/process level uses the information as inputs into the risk management process, and then collaborates with the implementation/operations level to communicate business needs and create a Profile. The implementation/operations level communicates the Profile implementation progress to the business/process level. The business/process level uses this information to perform an impact assessment. Business/process level management reports the outcomes of that impact assessment to the executive level to inform the organization’s overall risk management process and to the implementation/operations level for awareness of business impact.
#7:The Framework provides a common language and systematic methodology for managing cyber risk.
The Framework can be tailored to meet each organization’s needs. It does not tell an organization how much cyber risk is tolerable, nor provide “the one and only” formula for cybersecurity.
Framework Profiles and Roadmaps can be used as artifacts to easily demonstrate due care for cybersecurity.
The Framework Informative References and community published standards mappings can help achieve compliance goals.
Enables best practices to become standard practices for everyone via common lexicon to enable action across diverse stakeholders. Communicates cybersecurity requirements with stakeholders, including partners and suppliers
Framework profiles and roadmaps are completely customizable by the organization, allowing it to be cost effective for any budget.
#8:Framework Success Stories summarize why and how organization’s use the Framework, emphasizing the variety of approaches and benefits, typically including lessons results, learned, and next steps.
