NIST Cybersecurity Framework Profiles and Tiers
Continuing from our previous discussion about the NIST CSF (https://www.ericiussecurity.org/blog/nist-cybersecurity-framework-20), the Cybersecurity Framework 2.0 offers two tools called profiles and tiers.
Profiles describe what your team’s current or desired cybersecurity posture, usually by describing the outcomes you aim to achieve. Profiles help you understand, prioritize, and communicate how you’re trying to organize your cybersecurity efforts.
The gist of profiles is the creation of a “current profile” and a “target profile,” much like how Ericius describes creating a current and desired state while using the Cyber Defense Matrix (CDM) (https://www.ericiussecurity.org/blog/frameworks-for-cyber-success). The current profile lays out what your team is currently accomplishing and how well it’s going. The target profile explains what your desired state looks like and helps determine priorities and missing resources.
Also, just like how Ericius employees the Cyber Defense Matrix, you can use current and target profiles to identify gaps and create an action plan. The CDM is much more consistent in its application of the NIST CSF’s functions more thorough because it spells out what assets to consider. Ericius uses the CDM first to triage your team during gap assessment, and then more thoroughly to develop a risk registry and plan of action and milestones during roadmapping.
The CSF also offers community profiles, which describe the baseline objectives that other teams in your sector aim to achieve. Generally, community profiles can be used as best practice models or can be lifted as target profiles. They can also help with demonstrating prudence because they help you show that you are exerting commensurate effort with your peers.
Besides profiles, NIST CSF 2.0 offers a system of tiers, or categories that describe your progression from informal risk management and ad hoc crisis response to flexible and risk-informed approaches that are constantly learning. Tiers help you take a clear-eyed view of how well you’re doing and “set the overall tone for how an organization will manage its cybersecurity risk.” (CSF 2.0 pg 8)
However, tiers complement or nest with your team’s cybersecurity—and enterprise—risk management planning. Tiers don’t replace those broader efforts because the tiers can’t communicate what level of maturity you should be at. Instead, your team should evaluate costs and benefits associated with moving to a higher tier and exerting more effort.
That said, in my personal opinion most teams should aim for no less than Tier 2: Risk Informed, so that you’re at least engaging with risk as a team and not as a collection of individuals.
Within the rest of the core NIST CSF 2.0 document is just about 10 pages of discussion on supplementary (and complimentary) online resources and how these can be used to set and communicate strategy within your organization. We’ll pick up next time on the discussion of different types of IT and cybersecurity risks that your team should consider.