NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) is a voluntary set of cybersecurity guidelines an organization can follow to better manage and reduce cybersecurity risk. The Framework is only guidance; it is not a checklist or a list of required controls like those in NIST SP 800-171. It should be customized by different sectors and individual organizations to best suit their risks, situations, and needs. Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework to achieve positive outcomes will vary. The Framework should not be implemented as an un-customized checklist or a one-size-fits-all approach for all critical infrastructure organizations. The Framework was developed in response to Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, which was issued in 2013. This EO outlines responsibilities for Federal Departments and Agencies to aid in improving the cybersecurity of Critical Infrastructure, such as the electrical grid, water treatment plants, transportation, and internet backbone providers. The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles. The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand. The Core guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management processes. The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management. The Tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget. Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.