January 2017 page 1

The NIST Cybersecurity Framework

Adopting the NIST Cybersecurity Framework can help any organization improve its

cyber readiness. Organizations that already have a security program based on

regulatory compliance requirements such as HIPAA and SOX or industry standards

such as PCI-DSS and ISO 27001 can use the framework to measure and

communicate the current effectiveness of implemented policies and processes

addressing cybersecurity risks. Organizations with no formal security program can

leverage the framework as a road map to identify business security needs and take

necessary steps to address cybersecurity risks to their data, operations, systems, and

employees.

Background

The framework is a result of a 2013 Presidential Executive Order titled “Improving Critical Infrastructure Cybersecurity” which called for the development of a voluntary risk-based cybersecurity framework based on industry standards and best practices to help private sector organizations manage cybersecurity risks. Faced with the growing tide of cyber attacks against private businesses and organizations in industry sectors such as energy, financial services, and healthcare, which are critical to our economy, national security, and very way of life, this order was an attempt to help these organizations defend against cybersecurity threats without creating additional regulatory burdens. The resulting framework, released in 2014 after ten months of collaboration between government and private sector security experts, creates a common language to address and manage cybersecurity risk in a cost-effective manner based on business needs.

Benefits of adopting the Framework

There are four key benefits an organization can realize by adopting the NIST

Cybersecurity Framework:

Harmonize cybersecurity approaches and provide a common language for

discussing cybersecurity risks within and across organizations and industries.

Establish the right level of security for an organization based on business

needs.

Inform cybersecurity budget planning based in risk prioritization.

January 2017

page 2

Communicate cybersecurity risk comprehensively to senior leadership.

Framework Components

The framework consists of three primary components: Core, Implementation Tiers,

and Profile.

The Core provides a set of activities, outcomes, and informative references providing

the detailed guidance for developing individual organizational risk management

profiles. It consists of five concurrent and continuous functions which provide a high

level, strategic view of the lifecycle of an organization’s management of

cybersecurity risk.

Identify – Develop the organizational understanding to manage cybersecurity

risk to systems, assets, data, and capabilities.

Protect – Develop and implement the appropriate safeguards to ensure delivery

of critical infrastructure services.

Detect – Develop and implement the appropriate activities to identify the

occurrence of a cybersecurity event.

Respond – Develop and implement the appropriate activities to take action

regarding a detected cybersecurity event.

Recover – Develop and implement the appropriate activities to maintain plans

for resilience and to restore any capabilities or services that were impaired due to

a cybersecurity event.

January 2017

page 3

The Implementation Tiers provide context on how an organization views

cybersecurity risk and processes in place to manage that risk. Tiers describes the

degree to which an organization’s cybersecurity risk management practices exhibit

the characteristics defined in the framework.

Tier 1 (Partial) – Risks are managed in an ad hoc manner with limited

awareness of risks.

Tier 2 (Risk Informed) – Risk management processes and program are in

place but are not integrated enterprise-wide.

Tier 3 (Repeatable) – Formal policies for risk management processes and

program are in place enterprise-wide.

Tier 4 (Adaptive) – Risk management processes and programs are based on

lessons and predictive indicators derived from previous and current

cybersecurity activities.

The Profile component represents cybersecurity outcomes based on business needs

that an organization has selected from Core function categories. Profiles can be used

to identify gaps and opportunities for improving an organization’s cybersecurity risk

management posture by creating a “Current” Profile which represents the current

organization risk management posture based on implemented policies, processing,

and controls and a “Target” Profile which represents the desired posture based on

business needs. Gaps between the current and target profiles establish the baseline for

implementation of the framework and improving an organization’s cybersecurity

readiness.

January 2017

page 4

Bottom Line - And Next Steps

The first step to improving organizational cyber readiness is an initial “fitness”

assessment based on the framework. NIST has provided access to all framework

related information including a Reference Tool to help organizations looking to

implement the framework on their website.

Organizations that need help implementing the framework or want to learn more

about its benefits can visit the MCGlobalTech CyberRx Risk Intelligence Solution

which automates the framework and helps organizations determine their

cybersecurity risk exposure and the potential financial impact of a successful data

breach.

Source: https://www.nist.gov/cyberframework

January 2017

page 5

About William McBorrough

William J. McBorrough is an Information Assurance and Cyber Security leader with an extensive background managing, designing, and implementing medium and large enterprise physical and information technology security solutions and programs. Mr. McBorrough is Co-Founder and Managing Principal at MCGlobalTech, a Washington, DC-based Information Security Management Consulting firm where he helps clients in the public and private sectors build Risk-Focused Security Programs. Mr. McBorrough has served on

the faculty of various universities including University of Maryland University College, EC-Council University, George Mason University and Northern Virginia Community College where he has conducted research and taught graduate and undergraduate courses relating to cybersecurity, cybercrime, cyberterrorism, and information security and assurance. He is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified in Risk Information System Control (CRISC), Certified Ethical Hacker (CEH) and HITRUST Certified Common Security Framework Practitioner (CCSFP).