Jump to content
Sign in to follow this  
Kristen LeClere

Understanding the Framework Core

Recommended Posts

The Framework Core is the first of three parts identified within the Framework.  The Framework Core provides a set of cybersecurity activities, desired outcomes, and applicable references.  The Framework Core provides this information through a hierarchy that establishes a standard format for describing and implementing a cybersecurity program.  The hierarchy starts by defining five (5) basic Functions of a cybersecurity program, the Functions are then broken into Categories that describe the outcomes for each function; the Categories are further broken into subcategories that provide specific outcomes of technical and/or management activities; Informative References complete the hierarchy.  Where subcategories provide specific information on what needs to be done, the Informative References provide information on how it can be done relying on proven practices.


Using ID.AM.1 as an example the Framework Core provides a breakdown of the Identify Function to the Asset Management (ID.AM) category.  The Asset Management category describes the activities required to perform Asset Management (e.g. Identify and manage business purposes).  The Asset Management Category is subdivided into six (6) unique subcategories.  Each subcategory describes a specific outcome that can be achieved to address the activities identified in the Category.  For ID.AM-1, the outcome states “Physical devices and systems within the organization are inventoried.”  The subcategory does not describe how an organization should conduct a physical inventory (e.g. manual or automated), nor does it describe who should perform the inventory and how often.  Organization can determine how to implement this outcome based on their business requirements, and risk tolerance.  It is this flexibility within the core that enables organization the ability to implement the core based on their unique requirements.
The Framework Core also provides Informative References to assist organizations in meeting the outcomes described in the subcategory. The Informative references were selected based on feedback received throughout the workshops and based on their adoption throughout industry.  For example, ID.AM-1 lists CM-8 as a NIST SP800-53Rev4 Informative Reference.  CM-8 provides two control objectives, supplemental guidance, and nine control enhancements that can determine how organizations obtain the outcome described in the subcategory.  It is important to keep in mind the Informative References are simply that…References.  They are not meant to provide additional rigor.  Organizations should determine which, if any, informative references they want to use to help them determine how they should obtain the outcome described in the subcategory.
While the Framework Core provides functions for addressing the breadth of concerns within a cybersecurity program, it is not all inclusive.  Organizations may need to add new categories, and subcategories to ensure unique requirements, standards, audit controls, and/or applicable laws are addressed.  Additionally, organization may choose to remove categories or subcategories that are not relevant based on their business drivers, requirements, or to achieve their risk threshold.
How has your organization used the core to help improve, develop, or maintain your cybersecurity program?
Next week’s post will discuss the Implementation Tiers.

Share this post

Link to post
Share on other sites
Sign in to follow this