Cybersecurity Framework FAQs Framework Components

FRAMEWORK COMPONENTS
16. What is the Framework Core and how is it used?
17. What are Framework Profiles and how are they used?
18. What are Framework Implementation Tiers and how are they used?
19. Are the Tiers equivalent to maturity levels?
20. What is the relationship between the Framework and NIST Roadmap for Improving Critical Infrastructure Cybersecurity, which was released on the same day?

FRAMEWORK COMPONENTS

16. What is the Framework Core and how is it used?
The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. An example of Framework outcome language is, "physical devices and systems within the organization are inventoried."

The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization's management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References, such as existing standards, guidelines, and practices for each Subcategory.

17. What are Framework Profiles and how are they used?
A Framework Profile ("Profile") represents the cybersecurity outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a "Current" Profile (the "as is" state) with a "Target" Profile (the "to be" state). To develop a Profile, an organization can review all of the Categories and Subcategories and, based on business drivers and a risk assessment, determine which are most important. They can also add Categories and Subcategories as needed to address the organization's risks. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations.

18. What are Framework Implementation Tiers and how are they used?
Framework Implementation Tiers ("Tiers") provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize an organization's practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. During the Tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.

19. Are the Tiers equivalent to maturity levels?
The Framework Implementation Tiers are not intended to be maturity levels. The Tiers are intended to provide guidance to organizations on the interactions and coordination between cybersecurity risk management and operational risk management. The key tenet of the Tiers is to allow organizations to take stock of their current activities from an organization wide point of view and determine if the current integration of cybersecurity risk management practices is sufficient given their mission, regulatory requirements, and risk appetite. Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and would be cost-effective.

20. What is the relationship between the Framework and NIST Roadmap for Improving Critical Infrastructure Cybersecurity, which was released on the same day?
The companion Roadmap discusses NIST's next steps with the Framework and identifies key areas of development, alignment, and collaboration. These plans were based on input and feedback received from stakeholders through the Framework development process. This list of high-priority areas was not intended to be exhaustive, but were important areas identified by stakeholders that should inform future versions of the Framework.