NIST CYBERSECURITY FRAMEWORK

1) OVERVIEW OF THE CYBERSECURITY FRAMEWORK

The National Institute of Standards and Technology (NIST) Cybersecurity Framework is US Government
guidance for private sector organizations that own, operate, or supply critical infrastructure. It provides
a reasonable base level of cyber security. It establishes basic processes and essential controls for
cybersecurity.
From process view, cybersecurity starts from understanding the organization, its mission, its risk
tolerance. Part of this is understanding the organization's role in critical infrastructure. These are used to
define roles, responsibilities, policies, and processes. Cybersecurity is realized as technical controls,
monitoring, and planned responses. The processes are reviewed and improved based on experience.
From a technical standpoint, cybersecurity starts from managing identities, credentials, and their
privileges and related access.
SSH is central in cybersecurity because it is used in every data center for managing and securing
networks, hardware, virtualization, systems, and/or data transfers.

2) CYBERSECURITY PROCESS
The Framework is a risk-based approach to manage cybersecurity risk, and is composed of three parts:
The Framework Core, the Framework Implementation Tiers, and the Framework Profiles. Each
Framework component reinforces the connection between business drivers and cybersecurity activities.
These components are explained below.

The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references
that are common across critical infrastructure sectors. The Core presents industry standards, guidelines,
and practices in a manner that allows for communication of cybersecurity activities and outcomes across
the organization from the executive level to the implementation/operations level. The Framework Core
consists of five concurrent and continuous FunctionsIdentify, Protect, Detect, Respond, Recover.
When considered together, these Functions provide a high-level, strategic view of the lifecycle of an
organizations management of cybersecurity risk. The Framework Core then identifies underlying key
Categories and Subcategories for each Function, and matches them with example Informative
References such as existing standards, guidelines, and practices for each Subcategory.

Framework Implementation Tiers (Tiers) provide context on how an organization views

cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an
organizations cybersecurity risk management practices exhibit the characteristics defined in the
Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize an
organizations practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a
progression from informal, reactive responses to approaches that are agile and risk-informed. During
the Tier selection process, an organization should consider its current risk management practices, threat
environment, legal and regulatory requirements, business/mission objectives, and organizational
constraints.

A Framework Profile (Profile) represents the outcomes based on business needs that an
organization has selected from the Framework Categories and Subcategories. The Profile can be
 characterized as the alignment of standards, guidelines, and practices to the Framework Core in an
implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity
posture by comparing a Current Profile (the as is state) with a Target Profile (the to be state). To
develop a Profile, an organization can review all the Categories and Subcategories and, based on
business drivers and a risk assessment, determine which are most important; they can add Categories
and Subcategories as needed to address the organizations risks. The Current Profile can then be used to
support prioritization and measurement of progress toward the Target Profile, while factoring in other
business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-
assessments and communicate within an organization or between organizations.

3) DETAILED VIEW OF CORE CONTROLS

FUNCTION CATEGORY
Asset Management
Business Environment
IDENTIFY Governance
Risk Assessment
Risk Management Strategy
Access Control
Awareness and Training
Data Security
PROTECT Information Protection
Processes & Procedures
Maintenance
Protective Technology
Anomalies and Events
DETECT Security Continuous Monitoring
Detection Processes
Response Planning
Communications
RESPOND Analysis
Mitigation
Improvements
Recovery Planning
RECOVER Improvements
Communications

4) WHY SHOULD AN ORGANIZATION ADOPT THE CYBER SECURITY FRAMEWORK?

The framework helps organizations understand, structure, manage, and reduce cybersecurity risks.
Cybersecurity violations can cause substantial financial losses, damage reputation, or cause outages that
may permanently damage a company's market position. The framework assists in identifying the most
important activities to assure critical operations and service delivery. It helps prioritize investments and
 provides a common language inside and outside the organization for cybersecurity and risk
management.

US government defines critical infrastructure utilities (water and energy) and other critical sectors such
as financial services, transportation, communications, healthcare, food supply, key manufacturers,
chemical facilities, dams, and emergency services.

Implementation of the framework is currently voluntary. It is based on well-known standards and

practices, and represents the best current practice in cybersecurity. However, each organization and
industry will have to identify their special themes and topics to pay attention to. Most topics, however,
are common to all sectors.

5) IMPLEMENTATION TIERS
The framework defines tiers that describe the level to which the requirements are implemented. The
tiers are sometimes referred to as maturity levels, but according to NIST they are more of a tool for
internal communication between cybersecurity risk management and operational risk management and
should not be maturity level. Nevertheless, higher tiers represent higher degree of sophistication and
maturity in the management of cybersecurity risks and responses.

Tier Name Explanation

Tier- 1 Partial Informal practices; limited awareness; no cybersecurity coordination
Tier- 2 Risk Informed Management approved processes and prioritization, but not
deployed organization-wide; high-level awareness exists, adequate
resources provided; informal sharing and coordination
Tier- 3 Repeatable Formal policy defines risk management practices processes, with
regular reviews and updates; organization-wide approach to manage
cybersecurity risk, with implemented processes; regular formalized
coordination
Tier- 4 Adaptive Practices actively adapt based on lessons learned and predictive
indicators; cybersecurity implemented and part of culture
organization-wide; active risk management and information sharing.

6) OTHER COMPLIANCE MANDATES

Many organizations combine Cybersecurity Framework application with COBIT.

Any organization accepting credit card payments must also comply with PCI, either themselves or by
using a payment processor that handles compliance.
All US public companies are affected by Sarbanes-Oxley law; violations can result in criminal liability.
Energy companies are required to apply NERC CIP.
Health care and public health organization must adhere to the HIPAA security rule.
Financial institutions must consider Basel III and various other regulations.

All these regulations are fundamentally compatible with the cybersecurity framework. Some may
provide additional requirements, or different emphasis, but for the most part they complement
each other.
 GLOSSARY
The National Institute of Standards and Technology (NIST) was founded in 1901 and is
now part of the U.S. Department of Commerce. NIST is one of the nation's oldest
NIST physical science laboratories. Congress established the agency to remove a major
challenge to U.S. industrial competitiveness. From the smart electric power grid and
electronic health records to atomic clocks, advanced nanomaterials, and computer
chips, innumerable products and services rely in some way on technology,
measurement, and standards provided by the National Institute of Standards and
Technology.
Critical The nation's critical infrastructure provides the essential services that underpin
infrastructure American society and serve as the backbone of our nation's economy, security, and
health. For example, the power we use in our homes, the water we drink, the
transportation that moves us, the stores we shop in, and the communication systems
we rely on to stay in touch with friends and family.
Cybersecurity Cybersecurity means the research, plans, and actions undertaken to foresee, avoid,
and counteract trouble in (or arising from) the digital world.
Controls Cybersecurity controls are methods for mitigating risks to digital systems that can be
applied to provide a higher assurance that those systems are protected. It provides
actions that help to prevent attacks from hackers.
SSH (Secure Shell) SSH (Secure Shell) is a software package that enables secure system administration
and file transfers over insecure networks, such as the Internet.
COBIT is a framework for developing, implementing, monitoring and improving
COBIT information technology (IT) governance and management
practices.
Payment Card Industry Data Security Standard (PCI DSS) compliance is adherence to
PCI the set of policies and procedures developed to protect credit, debit and cash card
transactions and prevent the misuse of cardholders' personal information DSS
compliance is required by all card brands.
The NERC CIP (North American Electric Reliability Corporation critical infrastructure
NERC CIP protection) plan is a set of requirements designed to secure the assets required for
operating North America's bulk electric system.
HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States
HIPAA legislation that provides data privacy and security provisions for safeguarding medical
information.