In February 2013, President Obama issued his Improving Critical Infrastructure Cybersecurity executive order, which presented a plan to decrease the risk of cyberattacks on critical infrastructure. The US Department of Commerce’s National Institute of Standards and Technology (NIST) was charged with creating the plan, which became known as the Framework for Improving Critical Infrastructure Cybersecurity (Framework). The NIST worked with over three thousand individuals and business organizations to create the Framework. The goal of the Framework is to help businesses develop cybersecurity programs within their organizations and to create industry standards for dealing with cybersecurity issues.
The Framework is designed to work with businesses to reach a sufficient level of cybersecurity protection regardless of size, sector, or level of security. The Framework consists of three parts (1) The Framework Core, (2) The Framework Implementation Tiers, and (3) The Framework Profiles. The Framework Core is a grouping of cybersecurity activities based on industry indicators, desired outcomes, and practices. It assists businesses in developing Framework Profiles, which are used to create cybersecurity plans. Essentially, the Core characterizes all aspects of a business’ cybersecurity protection so that the Framework can assist the business in creating a secure network.
The Framework Implementation Tiers assess how a business acknowledges cybersecurity issues and ranks the business into one of four tiers. Ranked from weakest to strongest the four tiers are: (1) Partial, (2) Risk Informed, (3) Repeatable, and (4) Adaptive. The Partial Tier is for businesses that may not consult risk objectives or environmental threats when deciding cybersecurity issues. The Risk Informed Tier is for businesses that have cybersecurity risk management processes, but may not implement them across the entire organization. The Repeatable Tier is for businesses that regularly update their cybersecurity practices based on risk management. The Adaptive Tier is for businesses that adapt cybersecurity procedures frequently and implement knowledge gained from past experiences and risk indicators. The Tier assignment helps a business better understand the impact of cybersecurity issues on its organizational procedures.
After a business has gone through the necessary steps with the Framework Core and Implementation Tiers, it can create a Framework Profile based on its individual characteristics. A “Current” Profile allows a business to have a clear sense of where it stands in terms of cybersecurity and what aspects of its cybersecurity program need improvement. A “Target” Profile represents the cybersecurity state that a business wants to achieve through the use of the Framework. By comparing its “Current” Profile and “Target” Profile, a business is able to prioritize its actions and measure its progress.
There are several resources that support the Framework including the NIST’s Roadmap for Improving Critical Infrastructure Cybersecurity, the NIST’s Cybersecurity Framework Reference Tool, and The Department of Homeland Security’s Critical Infrastructure Cyber Community C3 Voluntary Program. A business that wants to utilize the Framework should visit the NIST’s Framework website at: http://www.nist.gov/cyberframework/.