The NIST CSF contains terminology and concepts that may be expressed in specific ways to include perspectives and usages that may be unique to the framework implementation and different from what you are used to dealing with in your normal operations. You must have a basic understanding of security fundamentals used throughout the industry. For instance, the familiar CIA triad will be mentioned extensively throughout our courses. Additionally, there are some aspects of the framework that are contained throughout all discussion of the topics in this course. We’re introducing them here, they include: Cybersecurity & Information Security, Drivers of Business & Environments, and Cybersecurity Fundamentals. These concepts will be included in various discussions throughout all modules of this course, and you should become familiar with them.

The NIST CSF, because it is a risk-based approach for managing cybersecurity risk, is composed of three parts: the Framework Core with its four areas and five processes, the four Framework Implementation Tiers and its programs and processes, and the Framework Profiles, goals, types and levels. Each Framework component reinforces the connection between business and mission drivers and cybersecurity activities.

The NIST CSF provides a common language to communicate requirements among interdependent stakeholders responsible for the delivery of essential critical infrastructure products and services. For example, an organization may use a target profile to express cybersecurity risk management requirements to an external service provider (e.g., a cloud provider to which it is exporting data). In addition, an organization may express its cybersecurity state through a current profile to report results or to compare with acquisition requirements, we will cover more examples in the course.

Risk management is the ongoing process of identifying, assessing, and responding to risk. To manage risk, organizations should understand the likelihood that an event will occur and the potential resulting impacts. With this information, organizations can determine the acceptable level of risk for achieving their organizational objectives and can express this as their risk tolerance. Risks affecting organizations can have consequences from economic performance impacts to professional reputation. In this course we discuss the RMF process which provides a disciplined, structured, and flexible process for managing security and privacy risk which includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. We also discuss how managing risk by identifying, assessing, and responding to risk helps organizations perform better in an environment full of uncertainty.

Cyber SCRM is the set of activities necessary to manage cybersecurity risk associated with external parties. More specifically, cyber SCRM addresses both the cybersecurity effect an organization has on external parties and the cybersecurity effect external parties have on an organization.

The core functions are a listing of categories, subcategories and informative references that describe specific cybersecurity activities common across all critical infrastructure sectors. They are not intended to form a serial path or lead to a static desired end state. Rather, the functions should be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk. This course describes the six framework core functions (Govern, Identify, Protect, Detect, Respond and Recover) and includes descriptions of categories, subcategories and informative references.

The CSF is designed to complement existing business and cybersecurity operations. It can serve as the foundation for a new cybersecurity program or a mechanism for improving an existing program. It provides a means of expressing cybersecurity requirements to business partners and customers. Additionally, it can help identify gaps in an organization’s cybersecurity practices. The course outlines the steps an organization can use to compare their current cybersecurity activities with those outlined in the CSF core through the creation of profiles to determine if it has opportunities to or needs to improve.

The CSF is designed to reduce risk by improving the management of cybersecurity risk to organizational objectives. Ideally, organizations using the Framework will be able to measure and assign values to their risk along with the cost and benefits of steps taken to reduce risk to acceptable levels. This course describes the importance of having a clear understanding of the organizational objectives, the relationship between those objectives and supportive cybersecurity outcomes, and how those discrete cybersecurity outcomes are implemented and managed to assist the organization in predicting whether a cybersecurity risk may occur, and the impact it might have.