Introduced in February 2014 by the National Institute of Standards and Technology (NIST), the Framework for Improving Critical Infrastructure Cybersecurity (“Framework”) offers organizations a standardized approach for managing cybersecurity activities and reducing cyber risk. In order to achieve these ends, the Framework is divided into three sections: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.
The Core is a collection of cybersecurity activities derived from authoritative sources (NIST, COBIT, and ISO)
The Profile presents an overview of an organization's current and future cybersecurity posture
The Implementation Tiers portray the maturity and rigor underlying an organization's risk management practices
While much has been written about the development and structure of the overarching Framework, less attention has been paid to the application of the Framework Profile. NIST, recognizing that organizations come in different shapes and sizes, does not prescribe specific Profile templates in order to allow for greater flexibility. Nevertheless, as a growing number of government agencies and regulators encourage the adoption of the Cybersecurity Framework, it is crucial that leaders understand how to leverage the Framework to their advantage. This paper provides practical guidance for implementing a sustainable Framework Profile that demonstrates measurable progress against reducing cybersecurity risks.
