Beginning Next Week: InsideCounsel will become part of Corporate Counsel. Bringing these two industry-leading websites together will now give you comprehensive coverage of the full spectrum of issues affecting today's General Counsel at companies of all sizes. You will continue to receive expert analysis on key issues including corporate litigation, labor developments, tech initiatives and intellectual property, as well as Women, Influence & Power in Law (WIPL) professional development content. Plus we'll be serving all ALM legal publications from one interconnected platform, powered by, giving you easy access to additional relevant content from other InsideCounsel sister publications.

To prevent a disruption in service, you will be automatically redirected to the new site next week. Thank you for being a valued InsideCounsel reader!


Technology: Dissecting the first version of the NIST’s cybersecurity framework

The framework is comprised of three main elements: the “core,” “tiers,” and “profiles”

On Feb. 12, 2014, following a year-long development process, the Commerce Department's National Institute of Standards and Technology (NIST) released a framework for improving critical infrastructure cybersecurity. Although aimed in particular at providers of energy, financial, health care, communications, and other critical systems and services, the framework provides a standard model for the creation of new cybersecurity programs and the evaluation and improvement of existing programs that can be used by organizations of any size and in any industry.

The framework has its genesis in Executive Order 13636, Improving Critical Infrastructure Cybersecurity. Issued by President Obama in February 2013, the order called for stakeholders in the private and public sectors to collaborate in the development of voluntary, industry-specific standards to help organizations improve the security of critical infrastructure and reduce the risks posed by cyber-attacks. In the year since the order was issued, NIST sought input from individuals and organizations on how cyber-risk can be managed in a cost-effective manner without imposing an additional regulatory burden on businesses.

The fruit of that effort, the framework describes and defines a common taxonomy and mechanism for organizations to:

  1. Describe their current cybersecurity posture;
  2. Describe their target state for cybersecurity;
  3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  4. Assess progress toward the target state; and
  5. Communicate among internal and external stakeholders about cybersecurity risk.

The framework is expected — and intended — to evolve and change along with technology, and as such is best understood as the starting point of an ongoing effort to improve the country’s cybersecurity.

The framework is comprised of three main elements: the “core,” “tiers,” and “profiles.”  The “core” consists of five concurrent and continuous functions — identify, protect, detect, respond and recover —that allow organizations to conceptualize and systematize their approach to cybersecurity. Each of the core functions is further divided into categories tied to programmatic needs and particular activities, such as “Asset Management,” “Access Control,” and “Detection Processes.” Categories, in turn, are divided into subcategories that identify specific activities or outcomes, such as “External information systems are catalogued,” “Data-at-rest is protected,” and “Notifications from detection systems are investigated.” These outcomes or activities refer to informative references, which are specific sections of standards, guidelines, and practices that illustrate a method to achieve the outcomes associated with each subcategory.

“Tiers” describe the level of sophistication and rigor an organization employs in applying its cybersecurity practices, and provide a context for applying the core functions. Comprising four levels from “Partial” (Tier 1) to “Adaptive” (Tier 4), the tiers describe approaches to cybersecurity that "range from informal, reactive responses to agile and risk-informed." Applying the definitions provided in the framework, a business can characterize its current cybersecurity practices and select a target level appropriate to the cybersecurity threats it faces.

The framework “Profile” is the alignment of the core functions, categories, and subcategories with the business requirements, risk tolerance, and resources of the organization into a comprehensive map for reducing cybersecurity risk. Creation of current and target profiles can help direct organizations’ efforts toward improved cybersecurity in a methodical manner.

NIST also released a "Roadmap" to accompany the framework. The Roadmap describes NIST’s vision of the development of future framework versions, in which INIST will continue to serve as a convener and coordinator working to help organizations understand, use and improve the framework.

By creating a standardized conceptual approach to cybersecurity, the framework provides an extremely useful tool for businesses of all sizes, in all geographic locations, and across all industries. The framework is available online.

Contributing Author

author image

Kit Winter

Kit Winter is a member at law firm Dykema Gossett in Los Angeles and focuses on internet, intellectual property and business litigation. He can be...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.