The framework is divided into three main sections: a framework core, a profile, and implementation tiers. “The Framework Core consists of five concurrent and continuous functions: Identify, Protect, Detect, Respond, Recover—which can provide a high-level, strategic view of an organization’s management of cybersecurity risk,” according to the document. The profile is a representation of what a company’s cyber program should look like if it aligns with the standards set out in the framework. Finally, the implementation tiers outline how cybersecurity risk is managed by an organization. “The tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints,” the framework states.
Stine emphasizes the criticality of the private sector’s feedback and suggestions in crafting the framework. “We’ve gained tremendous input and insight from the actual critical infrastructure owners and operators, really the key target audience of this framework development effort,” he says. “They’re the ones who are working in the trenches on a daily basis, day in and day out to deliver these critical services, and they’re the ones who also see firsthand the evolving threat environment that they each face.”
Jeff Greene, senior policy counsel at Symantec, which makes computer security software, says the framework is easy to understand, even for organizations that are starting new cybersecurity programs. “There’s a lot of other frameworks and approaches and controls out there, but one of the things about the NIST framework that I like is that it’s written in relatively plain English. Anything that talks about cybersecurity is going to be somewhat technical, but it’s something that you don’t have to be very sophisticated to look at and say, ‘okay I get it, I know what they want me to do here,’” he tells Security Management.
One concern voiced by private industry was the way the cybersecurity framework would deal with privacy and civil liberties. The preliminary framework guidelines, released in October 2013, set aside a lengthy appendix to outline controls and procedures to protect the privacy of individuals. Public comments noted that this privacy section was too broad to be useful to most companies.
For example, Harriet Pearson, a partner at the law firm of Hogan Lovells US LLP, in Washington, D.C., commented that the privacy methodology included in the framework “should be narrowed and focused so that, like the rest of the framework, it reflects private sector practices.” Specifically, Pearson advocated that the framework include issues such as identifying and addressing the privacy implications of access control measures that involve the collection or use of protected information.