Still need a prime on the CSF? Check out my article for the Access Business Team January 2017 Newsletter on how business can improve their cyber readiness with the NIST Cybersecurity Framework.

1. January 2017 page 1
The NIST Cybersecurity Framework
Adopting the NIST Cybersecurity Framework can help any organization improve its
cyber readiness. Organizations that already have a security program based on
regulatory compliance requirements such as HIPAA and SOX or industry standards
such as PCI-DSS and ISO 27001 can use the framework to measure and
communicate the current effectiveness of implemented policies and processes
addressing cybersecurity risks. Organizations with no formal security program can
leverage the framework as a road map to identify business security needs and take
necessary steps to address cybersecurity risks to their data, operations, systems, and
employees.
Background
The framework is a result of a 2013 Presidential Executive Order titled
“Improving Critical Infrastructure Cybersecurity” which called for the
development of a voluntary risk-based cybersecurity framework based on
industry standards and best practices to help private sector organizations
manage cybersecurity risks. Faced with the growing tide of cyber attacks against
private businesses and organizations in industry sectors such as energy, financial
services, and healthcare, which are critical to our economy, national security,
and very way of life, this order was an attempt to help these organizations defend
against cybersecurity threats without creating additional regulatory burdens.
The resulting framework, released in 2014 after ten months of collaboration
between government and private sector security experts, creates a common
language to address and manage cybersecurity risk in a cost-effective manner
based on business needs.
Benefits of adopting the Framework
There are four key benefits an organization can realize by adopting the NIST
Cybersecurity Framework:
 Harmonize cybersecurity approaches and provide a common language for
discussing cybersecurity risks within and across organizations and industries.
 Establish the right level of security for an organization based on business
needs.
 Inform cybersecurity budget planning based in risk prioritization.

2. January 2017
page 2
 Communicate cybersecurity risk comprehensively to senior leadership.
Framework Components
The framework consists of three primary components: Core, Implementation Tiers,
and Profile.
The Core provides a set of activities, outcomes, and informative references providing
the detailed guidance for developing individual organizational risk management
profiles. It consists of five concurrent and continuous functions which provide a high
level, strategic view of the lifecycle of an organization’s management of
cybersecurity risk.
 Identify – Develop the organizational understanding to manage cybersecurity
risk to systems, assets, data, and capabilities.
 Protect – Develop and implement the appropriate safeguards to ensure delivery
of critical infrastructure services.
 Detect – Develop and implement the appropriate activities to identify the
occurrence of a cybersecurity event.
 Respond – Develop and implement the appropriate activities to take action
regarding a detected cybersecurity event.
 Recover – Develop and implement the appropriate activities to maintain plans
for resilience and to restore any capabilities or services that were impaired due to
a cybersecurity event.

3. January 2017
page 3
The Implementation Tiers provide context on how an organization views
cybersecurity risk and processes in place to manage that risk. Tiers describes the
degree to which an organization’s cybersecurity risk management practices exhibit
the characteristics defined in the framework.
 Tier 1 (Partial) – Risks are managed in an ad hoc manner with limited
awareness of risks.
 Tier 2 (Risk Informed) – Risk management processes and program are in
place but are not integrated enterprise-wide.
 Tier 3 (Repeatable) – Formal policies for risk management processes and
program are in place enterprise-wide.
 Tier 4 (Adaptive) – Risk management processes and programs are based on
lessons and predictive indicators derived from previous and current
cybersecurity activities.
The Profile component represents cybersecurity outcomes based on business needs
that an organization has selected from Core function categories. Profiles can be used
to identify gaps and opportunities for improving an organization’s cybersecurity risk
management posture by creating a “Current” Profile which represents the current
organization risk management posture based on implemented policies, processing,
and controls and a “Target” Profile which represents the desired posture based on
business needs. Gaps between the current and target profiles establish the baseline for
implementation of the framework and improving an organization’s cybersecurity
readiness.

4. January 2017
page 4
Bottom Line - And Next Steps
The first step to improving organizational cyber readiness is an initial “fitness”
assessment based on the framework. NIST has provided access to all framework
related information including a Reference Tool to help organizations looking to
implement the framework on their website.
Organizations that need help implementing the framework or want to learn more
about its benefits can visit the MCGlobalTech CyberRx Risk Intelligence Solution
which automates the framework and helps organizations determine their
cybersecurity risk exposure and the potential financial impact of a successful data
breach.
Source: https://www.nist.gov/cyberframework

5. January 2017
page 5
About William McBorrough
William J. McBorrough is an Information Assurance and Cyber Security leader
with an extensive background managing, designing, and implementing
medium and large enterprise physical and information technology security
solutions and programs. Mr. McBorrough is Co-Founder and Managing
Principal at MCGlobalTech, a Washington, DC-based Information Security
Management Consulting firm where he helps clients in the public and private
sectors build Risk-Focused Security Programs. Mr. McBorrough has served on
the faculty of various universities including University of Maryland University College, EC-Council
University, George Mason University and Northern Virginia Community College where he has
conducted research and taught graduate and undergraduate courses relating to cybersecurity,
cybercrime, cyberterrorism, and information security and assurance. He is a Certified Information
Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified in
Risk Information System Control (CRISC), Certified Ethical Hacker (CEH) and HITRUST Certified
Common Security Framework Practitioner (CCSFP).