After a year of preparation, the result of the executive order is coming to fruition with the release of the new “Cybersecurity Framework” from the U.S. National Institute of Standards and Technology (NIST).
In a statement from the White House, the Obama Administration commented that the framework gathers existing global standards and practices to help organizations understand, communicate and manage their cyber-risks. The “Cybersecurity Framework” is applicable both to novice organizations that are just getting started with cyber-security initiatives as well as more advanced organizations.
The framework is made up of three components: the Framework Core includes information that applies across the spectrum of critical infrastructure; the Profiles component is intended to help organizations be aware of their current security posture; and the third component, called Tiers, focuses on risk.
“The Tiers provide a mechanism for organizations to view their approach and processes for managing cyber-risk,” the White House stated. “The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk-management practices, the extent to which cyber-security risk management is informed by business needs and its integration into an organization’s overall risk-management practices.”