The National Institute of Standards released Version 1.0 of the NIST Cybersecurity Framework Feb 12, 2014. The Framework provides a common taxonomy and mechanism for organizations to describe current and target state cybersecurity postures, identify and prioritize opportunities for improvement, and communicate cybersecurity risk.
The NIST Cybersecurity Framework Core consists of five concurrent and continuous Functions – Identify, Protect, Detect, Respond, Recover. Each of these Functions is further subdivided into several Categories that describe functions within an organization’s security program. The Categories are further divided into Subcategories which are tied to specific technical or management activities.
The Framework Core and Informative Requirements are available as separate downloads in three formats: spreadsheet (Excel), alternate view (PDF), and database (FileMaker Pro). A companion Roadmap discusses future steps and identifies key areas of cybersecurity development, alignment, and collaboration.
The Framework also provides a way to classify the relative sophistication of an organization’s security posture through four identified Tiers (Partial, Risk Informed, Repeatable, and Adaptive). While not meant to be a full blown Maturity Model, the Tiers provide a mechanism to identify current and target states for the Categories within the Core.
The NIST Framework is a useful tool to quantify an overall security posture, but currently lacks any prioritization of Functions or Categories. The Council on CyberSecurity has released a Top 20 list of high-value, prioritized security controls which cover the foundational components of an organization’s security program.
The CCS Top 20 is a target profile. As expected, the security controls are heavily weighted in the “Protect” Function of the Framework. By combining the NIST Framework and CSC Top 20, a useful analysis can be performed and then utilized as a driver for prioritized activities to improve an organization’s security posture.
The NIST Benchmark uses the data gained during the various phases of the security audit to identify the current state.