Using The Framework
What is the difference between ‘using’, ‘adopting’, and ‘implementing’ the Framework?
In a strict sense, these words are fairly interchangeable. They can mean an organization’s use of the Framework as a part of its internal processes. NIST generally refers to “using” the Framework.
Would the Framework have prevented recent highly publicized attacks?
There are no “silver bullets” when it comes to cybersecurity and protecting an organization. For instance, “Zero-day” attacks exploiting previously unknown software vulnerabilities are especially problematic. However, using the Framework to assess and improve management of cybersecurity risks should put organizations in a much better position to identify, protect, detect, respond to, and recover from an attack, minimizing damage and impact.
Does the Framework address the cost and cost-effectiveness of cybersecurity risk management?
Yes. An organization can use the Framework to determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.
How does the Framework relate to information sharing?
The Framework provides guidance on how awareness of real and potential threats and vulnerabilities can be used to enhance an organization’s cybersecurity program.
Can the Framework help managing risk for assets that are not under my direct management?
Yes. The Functions, Categories, and Subcategories of the Framework Core are expressed as outcomes and are applicable whether you are operating your own assets, or another party is operating assets as a service for you. For customized external services such as outsourcing engagements, the Framework can be used as the basis for due diligence with the service provider. For packaged services, the Framework can be used as a set of evaluation criteria for selecting amongst multiple providers.
Should the Framework be applied to and by the entire organization or just to the IT department?
The Framework provides guidance relevant for the entire organization. The full benefits of the Framework will not be realized if only the IT department uses it. The Framework balances comprehensive risk management, with a language that is adaptable to the audience at hand. More specifically, the Function, Category, and Subcategory levels of the Framework correspond well to organizational, mission/business, and IT and operational technology (OT)/industrial control system (ICS) systems level professionals. This enables accurate and meaningful communication, from the C-Suite to individual operating units and with supply chain partners. It can be especially helpful in improving communications and understanding between IT specialists, OT/ICS operators, and senior managers of the organization.
How can the Framework help an organization with external stakeholder communication?
The Framework can be used to communicate with external stakeholders such as suppliers, services providers, and system integrators. More specifically, the Framework Core is a language in which to communicate, while Framework Profiles can be used to express security requirements.
What is the role of senior executives and Board members?
The Framework can be used as an effective communication tool for senior stakeholders (CIO, CEO, Executive Board, etc.), especially as the importance of cybersecurity risk management receives elevated attention in C-suites and Board rooms. The Functions inside the Framework Core offer a high level view of cybersecurity activities and outcomes that could be used to provide context to senior stakeholders beyond current headlines in the cybersecurity community.
How can organizations measure the effectiveness of the Framework?
Framework effectiveness depends upon each organization’s goal and approach in its use. Is the organization seeking an overall assessment of cybersecurity-related risks, policies, and processes? Is it seeking a specific outcome such as better management of cybersecurity with its suppliers or greater confidence in its assurances to customers? Effectiveness measures vary per use case and circumstance. Accordingly, the Framework leaves specific measurements to the user’s discretion. Individual entities may develop quantitative metrics for use within that organization or its business partners, but there is no specific model recommended for measuring effectiveness of use.
How long does it take to implement the Framework?
Each organization’s cybersecurity resources, capabilities, and needs are different. So the time to implement the Framework will vary among organizations, ranging from as short as a few weeks to several years. The Framework Core’s hierarchical design enables organizations to apportion steps between current state and desired state in a way that is appropriate to their resources, capabilities, and needs. This allows organizations to develop a realistic action plan to achieve Framework outcomes in a reasonable time frame, and then build upon that success in subsequent activities.
Does the Framework require using any specific technologies or products?
No. It has been designed to be flexible enough so that users can make choices among products and services available in the marketplace. It encourages technological innovation by aiming for strong cybersecurity protection without being tied to specific offerings or current technology.
Is a conformity assessment program being planned?
NIST has no plans to develop a conformity assessment program. NIST encourages the private sector to determine its conformity needs, and then develop appropriate conformity assessment programs. NIST is able to discuss conformity assessment-related topics with interested parties.
Will my organization be regulated against gaps between my current regulation and Framework?
The Framework was created with the current regulatory environment in mind, and does not replace or augment any existing laws or regulations. The Framework leverages industry best practices and methods for cybersecurity risk management, which are often used in regulation.
Is there a way to find out how organizations have used the Framework, and is there a place to get guidance that would help others?
Early users of the Framework are beginning to produce case studies, implementation guides, and other resources. These resources are starting to be available through trade and professional associations. NIST is also listing those items at the Framework website on the Framework Resources and Success Stories pages.
What if Framework guidance or tools do not seem to exist for my sector or community?
The Framework is designed to be applicable to any organization in any part of the critical infrastructure or broader economy. Applications from one sector may work equally well in others. It is expected that many organizations face the same kinds of challenges. There are published case studies and guidance that can be leveraged, even if they are from different sectors or communities. Organizations can encourage associations to produce sector-specific Framework mappings and guidance and organize communities of interest. You may also find value in coordinating within your organization or with others in your sector or community.
Why did NIST create the Perspectives web pages?
The Perspectives web pages are meant to inform people’s decision to use the Framework. The pages contain meaningful quotes that describe why the Framework is important or recommend its use. Survey information that indicates usage is also provided.
NIST is publishing brief Success Stories explaining how diverse organizations use the Framework to improve their cybersecurity risk management. Success stories are prepared by organizations using the Framework following a template and guidance provided by NIST.
How is cyber resilience reflected in the Cybersecurity Framework?
NIST Special Publication (SP) 800-160, Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy secure systems, defines cyber resiliency as the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources regardless of the source. Cyber resiliency has a strong relationship to cybersecurity but, like privacy, represents a distinct problem domain and solution space. Cyber resiliency supports mission assurance, for missions which depend on IT and OT systems, in a contested environment. The Cybersecurity Framework specifically addresses cyber resiliency through the ID.BE-5 and PR.PT-5 subcategories, and through those within the Recovery function. Other Cybersecurity Framework subcategories may help organizations determine whether their current state adequately supports cyber resiliency, whether additional elements are necessary, and how to close gaps, if any. Many organizations find that they need to ensure that the target state includes an effective combination of fault-tolerance, adversity-tolerance, and graceful degradation in relation to the mission goals. The Cybersecurity Framework supports high-level organizational discussions; additional and more detailed recommendations for cyber resiliency may be found in various cyber resiliency models/frameworks and in guidance such as in SP 800-160 Vol. 2.
What is the Cybersecurity Framework’s role in supporting an organization’s compliance requirements?
The common structure and language of the Cybersecurity Framework is useful for organizing and expressing compliance with an organization’s requirements. The Framework provides a flexible, risk-based approach to help organizations manage cybersecurity risks and achieve its cybersecurity objectives. Those objectives may be informed by and derived from an organization’s own cybersecurity requirements, as well as requirements from sectors, applicable laws, and rules and regulations.
How do I use the Cybersecurity Framework to prioritize cybersecurity activities?
The Framework can help an organization to align and prioritize its cybersecurity activities with its business/mission requirements, risk tolerances, and resources. For example, Framework Profiles can be used to describe the current state and/or the desired target state of specific cybersecurity activities. Current Profiles indicate the cybersecurity outcomes that are currently being achieved, while Target Profiles indicate the outcomes needed to achieve the desired cybersecurity risk management goals. Comparing these Profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives. An action plan to address these gaps to fulfill a given Category or Subcategory of the Framework Core can aid in setting priorities considering the organization’s business needs and its risk management processes.
The Framework Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk, which can also aid in prioritizing and achieving cybersecurity objectives. Tiers help determine the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices.
With an understanding of cybersecurity risk tolerance, organizations can prioritize cybersecurity activities, enabling them to make more informed decisions about cybersecurity expenditures. Organizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services. Risk management programs offers organizations the ability to quantify and communicate adjustments to their cybersecurity programs.
The Framework uses risk management processes to enable organizations to inform and prioritize decisions regarding cybersecurity. It supports recurring risk assessments and validation of business drivers to help organizations select target states for cybersecurity activities that reflect desired outcomes. Thus, the Framework gives organizations the ability to dynamically select and direct improvement in cybersecurity risk management for the IT and ICS environments.
Small Business Use
Does the Framework apply to small businesses?
Yes. The approach was developed for use by organizations that span the largest to the smallest organizations.
Will NIST provide guidance for small businesses? Is there a starter kit or guide for organizations just getting started with cybersecurity?
NIST has a long-standing and on-going effort supporting small business cybersecurity. This is accomplished by providing guidance through websites, publications, meetings, and events. This includes a Small Business Cybersecurity Corner website that puts a variety of government and other cybersecurity resources for small businesses in one site. That includes the Federal Trade Commission’s information about how small businesses can make use of the Cybersecurity Framework.
NIST coordinates its small business activities with the Small Business Administration, the National Initiative For Cybersecurity Education (NICE), National Cyber Security Alliance, the Department of Homeland Security, the FTC, and others.
Small businesses also may find Small Business Information Security: The Fundamentals (NISTIR 7621 Rev. 1) a valuable publication for understanding important cybersecurity activities. It is recommended as a starter kit for small businesses. The publication works in coordination with the Framework, because it is organized according to Framework Functions.
