In February 2014 NIST released the “Framework for Improving Critical Infrastructure Cybersecurity” that consists of standards, guidelines, and practices to promote the protection of critical infrastructure. While it was developed for the critical infrastructure industry, it is really applicable to all industries and organizations. As far as NIST documents go, it’s a fairly easy and digestable read at only 41 pages including the appendices.
The Framework defines a comprehensive taxonomy of cybersecurity divided into five functions: Identify, Protect, Detect, Respond, Recover. These five functions are further divided into categories and sub-categories as shown in the graphic above. Rather than provide prescriptive guidance on the specific activities, tools, or methodologies, it defines the outcomes or objectives for these functions and categories. I can understand the rationale for this as there are many ways to achieve the outcomes or objectives that are described and this gives organizations flexibility in selecting the tools and approaches that are most appropriate for them. However, organizations that are looking for more prescriptive guidance (as I think most that consult the framework are) may be disappointed that there isn’t more on the “how” to achieve the outcomes that are described. The Framework does reference other standards for each of the categories and sub-categories that may provide more guidance for implementation.
The reason I like the Framework is for the comprehensive and accurate taxonomy of cybersecurity functions that it provides. This can serve almost as an “Enterprise Architecture”, if you will, that organizations can use to plan and assess their cybersecurity capabilities. For example, we’re currently building some solutions around cyber analytics and the Framework is providing a nice structure for us to systematically derive analytic use cases that will cover a broad array cybersecurity functions. I also find the Framework useful as a communication tool to frame the discussion of our products and capabilities in meetings with clients. E.g. “this is how our product fits within the overall Cybersecurity Framework and how it helps to achieve objectives A,B,C of functions X,Y,Z …”
Anyways, here’s quick overview of the five functions. You can download the actual PDF doc from NIST here: http://www.nist.gov/cyberframework/. Just remember to use it for what it is, a planning tool rather than an implementation tool.
- Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.