The next component is a Framework Profile, described as “a tool to enable organizations to establish a roadmap for reducing cybersecurity risk” within broader sector goals, legal and regulatory requirements, and industry best practices. Profiles can describe either or both the current level of cybersecurity within an organization and/or the target level of security.
The final component consists of four Implementation Tiers that allow individual organizations to identify a “degree of rigor and sophistication in cybersecurity risk management practices” that are most consistent with the organization’s current or target profile, organizational goals, and degree of risk. The lowest tier is labeled as Partial and presumes less formalized, more ad hoc and reactive cybersecurity risk management. At the next level is Risk-Informed, where the organization has approved risk management practices but the implementation is not integrated into organizationwide processes. The next tier builds on that as Risk-Informed and Repeatable, wherein the organization does have an organizationwide approach to risk that is consistently implemented and updated. At the highest tier is Adaptive, wherein the organization is fully capable of rapidly adapting its cybersecurity practices in both proactive and reactive manners to respond to emerging and evolving threats. Organizations would move up and down the tiers depending on the needs, activities, and resources of the organization.
The original executive order also required cybersecurity responses to “incorporate strong privacy and civil liberties protections.” The framework responds to that concern by providing an extensive outline of specific methodologies that will aid organizations in respecting privacy and civil liberties as they implement or upgrade their cybersecurity risk management programs. Based on a voluntary system of fair information practice principles that have been in place for a number of years, the chart corresponds to the Framework Core’s functions and categories to provide methodologies for identifying and addressing personally identifiable information and the organization’s constitutional, legal, and contractual requirements for protecting or securing that information at each step of cybersecurity risk management implementation.
The goal and purpose of the framework is to provide a basis for common approaches across organizations and industries to managing cybersecurity risk. If adopted, the framework may become mandatory for federal government agencies. Within the private sector, it is expected that the government will encourage and provide incentives for implementation. Organizations that extensively interact with government agencies that adopt the framework, as well as organizations identified by the Department of Homeland Security as being “high risk,” will very likely be expected to implement the framework.
NIST is seeking public comments on the proposed framework. The comment period runs through mid-December 2013. Following the comment period, NIST expects to review the comments and, if appropriate, make changes in the framework. NIST hopes to release the final Cybersecurity Framework in February 2014.