Framework for Improving Critical Infrastructure Cybersecurity

In our article, A Need to Know Basis, we discussed the security breach that occurred at Twitter in November 2019. Twitter failed to implement basic security protocols, such as least-privilege. We also discussed how small and medium sized businesses can learn from Twitter’s mistakes. The social media giant failed to implement restrictions on removable storage devices, did not set up alerts when critical or sensitive data was accessed, and did not restrict access to sensitive data to only the users that needed it to perform core job functions. All of these best practices are outlined in the NIST Framework for Improving Critical Infrastructure Cybersecurity .

Regardless of the size of your organization, you can reduce your risk by using the Framework to identify and prioritize actions for addressing cybersecurity threats and vulnerabilities. It can be deployed on an organizational, department, or project level. It provides stakeholders a common language to understand and manage risk.

Identify, Protect, Detect, Respond, and Recover

There are five high-level Functions that are subdivided into categories and subcategories. These are outlined at the bottom of this article. Because there are several ways to implement the Framework, the functions are conducted concurrently not chronologically. It can be applied at multiple phases of a process including plan, design, build/buy, deploy, operate and decommission. The Framework is designed to complement existing cybersecurity practices and act as the foundation for new programs or mechanisms. Here are some of the ways your business can utilize this resource to reduce risk.

Conduct a Basic Review of Cybersecurity Practices

Use the Framework to answer the question, “How are we doing?” by comparing your organizations Current (“as-is”) Profile to a Target (“desired”) Profile. A Framework Profile is the alignment of the Functions, Categories, and Subcategories with your organization’s business requirements, risk tolerance, and resources. Taking time to create a Current Profile will help to determine your current level of security and identify where your organization can improve.

Establish or Improve a Cybersecurity Program

The Framework contains some suggested steps for establishing or improving programs.

Step 1   Identify the Objective and Determine the Scope

Step 2   Identify Threats and Vulnerabilities

Step 3   Create a Current Profile

Step 4   Conduct a Risk Assessment

Step 5   Create a Target Profile

Step 6   Compare the Current Profile to the Target Profile to Analyze Gaps.

Step 7   Implement an Action Plan

Support Buying Decisions

Since the Target Profile is a prioritized list of cybersecurity requirements it can be used to inform purchasing decisions. The objective would be to make the best buying decision among multiple suppliers. It can be used to compare proposed products or services to determine which ones best fill the gaps between the Current and Target Profile. It can also be used to determine if the deployment of a purchased product or service fulfills the requirements of the Target Profile through periodic review and testing.

Communicate Cybersecurity Requirements with Stakeholders

The Framework may be used as a common language to communicate requirements with stakeholders. It facilitates communication within the cybersecurity ecosystem, which contains technology suppliers, non-technology suppliers, the organization, and the end-users. The Framework can be used to express your organization’s cybersecurity requirements to a cloud service provider; communicate cybersecurity analyses to external partners; or to compare the Current Profile with acquisition requirements.

The Framework does not result in a predetermined end result. Each organization will use the Framework differently and so achieve a different result. The resource is intended to express industry best practices and provide stakeholders with the language to communicate cybersecurity requirements. We will continue to provide articles on the Functions of the Framework and how to utilize it in a small to medium sized business.


The Functions and Categories are:

Function Category  Description
Identify Asset Management The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes
 Business Environment The organization’s mission, objectives, stakeholders, and activities are understood and prioritized
 Governance The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements
 Risk Assessment The organization understands the cybersecurity risk to organizational operations, assets, and individuals.
 Risk Management Strategy The organization’s priorities, constraints, risk tolerances, and assumptions
 Supply Chain Risk Management The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk.
Protect Identity Management and Access Control Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices
 Awareness and Training The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties
 Data Security Information and records (data) are managed consistent with the organization’s risk strategy
 Information Protection Processes and Procedures Security policies, processes, and procedures are maintained and used to manage protection of information systems and assets.
 Maintenance Maintenance and repairs of industrial control and information system components
 Protective Technology Technical security solutions are managed to ensure the security and resilience of systems and assets
Detect Anomalies and Events Anomalous activity is detected and potential impacts understood
 Security Continuous Monitoring The information system and assets are monitored to identify cybersecurity events and verify effectivness of protective measures
 Detection Processes Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.
Respond Response Planning Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.
 Communications Response activities are coordinated with internal and external stakeholders
 Analysis Analysis is conducted to ensure effective response and support recovery activities.
 Mitigation Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.
 Improvements Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.
Recover Recovery Planning Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.
 Improvements Recovery planning and processes are improved by incorporating lessons learned into future activities.
 Communications Restoration activities are coordinated with internal and external parties