NCSF Awareness Training

NCSF Awareness Training

This course introduces the NIST Cybersecurity Framework (NIST CSF). The Framework is a risk-based
approach to managing cybersecurity risk, and is composed of three parts: the Framework Core, the
Framework Implementation Tiers, and the Framework Profiles. Each Framework component reinforces the connection between business drivers and cybersecurity activities. These components are explained below.

  • The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable
    references that are common across critical infrastructure sectors. The Core presents industry
    standards, guidelines, and practices in a manner that allows for communication of cybersecurity
    activities and outcomes across the organization from the executive level to the
    implementation/operations level. The Framework Core consists of five concurrent and
    continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together,
    these Functions provide a high-level, strategic view of the lifecycle of an organization’s
    management of cybersecurity risk then identifies underlying key Categories and Subcategories
    for each Function, and matches them with example Informative References such as existing
    standards, guidelines, and practices for each Subcategory.
  •  

  • Framework Implementation Tiers (“Tiers”) provide context on how an organization views
    cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to
    which an organization’s cybersecurity risk management practices exhibit the characteristics
    defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers
    characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4).
    These Tiers reflect a progression from informal, reactive responses to approaches that are agile
    and risk-informed. During the Tier selection process, an organization should consider its current
    risk management practices, threat environment, legal and regulatory requirements,
    business/mission objectives, and organizational constraints.
  •  

  • A Framework Profile (“Profile”) represents the outcomes based on business needs that an
    organization has selected from the Framework Categories and Subcategories. The Profile can be
    characterized as the alignment of standards, guidelines, and practices to the Framework Core in
    a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a
    “Target” Profile (the “to be” state). To develop a Profile, an organization can review all of the
    Categories and Subcategories and, based on business drivers and a risk assessment, determine
    which are most important; they can add Categories and Subcategories as needed to address the
    organization’s risks. The Current Profile can then be used to support prioritization and
    measurement of progress toward the Target Profile, while factoring in other business needs
    including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments
    and communicate within an organization or between organizations.

This course provides an introduction on why organizations should be using the Framework as a key part of its systematic process for identifying, assessing, and managing cybersecurity risk. The Framework is not designed to replace existing processes; an organization can use its current process and overlay it onto the Framework to determine gaps in its current cybersecurity risk approach and develop a roadmap to improvement. Utilizing the Framework as a cybersecurity risk management tool, an organization can determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.