# NIST Framework for Improving Critical Infrastructure Cybersecurity

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
NIST National Institute of Standards and Technology

# Overview

The National Institute of Standards and Technology developed the "Framework for Improving Critical Infrastructure Cybersecurity," which describes a voluntary risk management framework ("the Framework") that consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Framework's prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.

# Components

The Cybersecurity Framework consists of three main components:

  1. Core
  2. Implementation Tiers
  3. Profiles

The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand. The Core guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management processes.

The Core includes five high level functions:

  • Identify (ID)
  • Protect (PR)
  • Detect (DE)
  • Respond (RS)
  • Recover (RC)

Spread across these five functions are 23 categories.

The image below depicts the Framework Core's Functions and Categories:

Framework Core Categories and Functions
Framework Core Categories and Functions

The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management. The Tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.

Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.

# Noteworthy

# Sources