Jump to content
Sign in to follow this  
Guest Alex Calis

Implementation Steps (6&7)

Recommended Posts

Guest Alex Calis

This article will complete the discussion of the seven Framework Implementation Steps, focusing on Steps 6 and 7: Determine, Analyze, and Prioritize Gaps & Implement Action Plan.


Step 6: Determine, Analyze, and Prioritize Gaps – This step is performed by overlaying the Current Profile developed in Step 3 with the Target Profile created in Step 5 to identify gaps.  Once an organization determines the gaps in its cybersecurity program based on review of a Current and Target Profile, the next step is to develop and issue an Action Plan. The Framework is not prescriptive on how organizations should close gaps; the priority that should be assigned for any gap; or how resources should be identified to close the gap.  The organization is required to determine these factors, to include milestones, and determine how they want to close the gaps. 


The Action Plan considers those subcategories in the Target Profile that have been determined by the Risk Assessment to represent the highest risk, and also actions that can achieve results within available cost and resources. Prioritizing which gaps to address first will likely be driven by factors such as ease of mitigation and available resources. Organizations may choose to implement an action plan in a phased approach.  This enables resources to be aligned to gap closing activities as they become available.  It is important to remember the target state is the goal of the organization.  Many organizations may not attain their target state in a given fiscal cycle due to resource constraints.  The action plan helps an organization track milestones that can be accomplished with existing resources while maintaining an awareness of the intended target state.


Step 7: Implement Action Plan – This one really is that straight forward.  Organizations can use their existing processes for developing a road map, if necessary, and required status reporting metrics that helps them track gap closing activities.


An action plan can be addressed in phases, such as near-term “quick fix” remediation and longer term remediation projects that may have to be phased in based on risk criticality, funding, and resources. The plan should be updated regularly to track and close gaps, address new gaps and risks, and support implementing a maintenance process to update profiles, risk assessments, asset lists, and other key cybersecurity artifacts. 


The seven steps identified in the Framework are not a ‘once and done’ process.  Rather, organizations should repeat the steps as required.  When the steps need to be repeated, whether it is time driven or event driven, are factors for the organization to decide; however with today’s changing threats and new attacks being developed daily, organizations may choose to repeat a select few steps, such as Step 4 (Conduct a Risk Assessment), more regularly than the other steps.


As a reminder, this webseries identifies one interpretation for using the Cybersecurity Framework.  Organizations may choose to tailor their implementation to meet their organizational needs.  The overall goal for using the Cybersecurity framework remains unchanged: improve and implement a risk based cybersecurity program.

Share this post

Link to post
Share on other sites
Sign in to follow this