How the NIST Cybersecurity Framework Works: Tiers, Profiles, Functions and Categories

Webinar Registration

Security frameworks and standards can be the blessing or the malediction. On the one hand we need a standardized way of looking at and communicating about security and a common yard stick for assessing an organization’s security stance, gap analysis and comparing organizations. On the other hand, security standards can be voluminous piles of paper that everyone talks about and no one reads, let alone actually implements. 

The National Institute of Standards and Technology has a good reputation for producing workable standards that people actually use, and their newly updated Framework for Improving Critical Infrastructure Cybersecurity has become the defining standard not just for organizations in the federal space required to use it, but also by voluntary implementers in the local government or private sector.

The Framework document is short enough for anyone to get their arms around it, and the good news is that you can start using the framework in tentative steps and before adoption by your entire organization.

The key is understanding the structure of the framework and how it’s intended to be used.

If you are technical like me, go straight to the good stuff – literally called the “Core” – in Appendix A. Core is divided into 5 top level Functions:

  • ID – Identify: Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities
  • PR – Protect: Develop and implement appropriate safeguards to ensure delivery of critical infrastructure services
  • DE – Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event
  • RS – Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident
  • RC – Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

If you are like me, Protect and especially Detect are most interesting. Detect is broken into 3 categories:

  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Processes

Those 3 categories are divided into smaller subcategories and each subcategory is mapped to detailed guidelines in popular security standards like COBIT, ISO 27001, CIS CSC and NIST 800-53. 

But the Framework is more than this core set of security controls. The value of the Framework really comes into focus when you understand how to use Profiles and Implementation Tiers. 

Implementation tiers measure how close your practices are to the Framework, and Profiles help you keep track of what parts of the Framework you have decided to work on, where you currently are and where you want to be.

In this real training for free webinar, I will open up the actual Framework document and take you through it online. Then we will pivot to Bryan Patton from Quest who will take a specific security issue like Pass-the-Hash attacks and show you how to bring the Cybersecurity Framework to bear on it.

We will also explain what’s changed in this most recent version of the Framework. For instance, this revision draws attention to the very real issue of software, hardware and service supply chain risks.

Please join us for this real training for free event to understand how to make quick and practical use of the Framework in small, tactical projects, as well as your larger, more strategic initiatives.

First Name:   
Last Name:   
Work Email:  
Job Title:  
Zip/Postal Code:  
Public sector:

Your information will be shared with the sponsor.



Additional Resources