What is a Framework in Cybersecurity? (A Beginner’s Guide)

cybersecurity framework

Today, every individual and organization is vulnerable to cybercrime. Historically, most cybercriminals went after large enterprises expecting big payoffs if they managed to penetrate the network. Over the last few years, this is no longer the case as hackers realized that smaller companies and government agencies are easier to exploit and have fewer resources to protect their networks.

In 2019, cybercrimes increased by 17% but the number of records exposed dropped by 64% in the United States. One conclusion we can draw from these statistics is that although cyberattacks continue to increase, hackers are less successful, and organizations are more capable of defending against attacks. The key difference is that many organizations and agencies have adopted a cybersecurity framework to protect their digital assets.

What is a Cybersecurity Framework?

Cybersecurity frameworks are models you can adopt (including standards, guidelines, and best practices) to align your IT system with your security objectives. It formalizes the organization’s approach to protecting critical business systems, application data, networks, and endpoints. While it may not be mandatory to adopt a cybersecurity framework, many government agencies and regulated environments can require the organization to have one in place.

Different Cybersecurity Framework Examples

Depending on the organization’s industry, choosing which framework will work best within the scope of your operations can be challenging. Different frameworks address a variety of regulatory compliance requirements, leading to some companies creating hybrid models that address specific concerns in their business processes.

Some of the major cybersecurity frameworks include:

  • NIST – The S. National Institute of Standards and Technology (NIST) framework helps improve cybersecurity for owners and operators of critical infrastructure.
  • CIS – Developed more than ten years ago, the Center for Information Security (CIS) provides 20 controls and receives regular updates from government agencies, academia, and industry professionals.
  • HIPAA and PCI DSS – These frameworks are specific to the health sector (HIPAA) and financial services industries (PCI DSS). You can combine these with additional frameworks to address more than just specific, regulated information.
  • ISO/IEC 27000 Family – A comprehensive, internationally recognized cybersecurity framework that covers all aspects of information security processes and controls.

Frameworks also come in three main categories, which are:

  • Control Frameworks – Developing strategies and providing basic sets of controls.
  • Program Frameworks – Assessing the state of cybersecurity controls and building a comprehensive program.
  • Risk Frameworks – Identifying, measuring, and mitigating inherent risks within the company’s IT landscape.

Choosing the Right Cybersecurity Framework

In most cases, adopting the ISO/IEC 27000 family of standards will ensure compliance with any applicable laws in your industry. It covers all aspects and requirements for establishing a robust Information Security Management System (ITSM).

Another popular model is the NIST framework, first published as an Executive Order (EO) in 2013. The NIST framework aims to protect vital public infrastructure from cyberattacks and secure the nation’s digital supply chains. Developed in collaboration with private sector industries and government agencies, it provides three main elements required for implementation. You can download the NIST cybersecurity framework in PDF format from the NIST website.

How the NIST Cybersecurity Framework Works

The three components of the NIST cybersecurity framework are Core, Implementation Tiers, and Profiles. Each element addresses different levels of technical details that help improve an organization’s cybersecurity practices.

  • Core – Provides a set of desired controls in easy to understand language to help the business align their security goals and reduce cyber risk.
  • Implementation Tiers – Often used as a communication tool for the cybersecurity program by covering the budgets, risk appetite, and mission priorities.
  • Profiles – Gives insight into the unique alignment of the program against the desired outcomes and helps identify opportunities that can improve the organization’s cybersecurity controls.

Additional Cybersecurity Frameworks to Consider

One framework that will become mandatory for all defense contractors, agencies, and subcontractors is the Cybersecurity Maturity Model Certification (CMMC). Used by the Defense Industrial Base (DIB), it will soon be a mandatory requirement for all contractors who work with the U.S. Department of Defense (DOD).

CMMC provides five levels of certification that reflect the maturity of an organization’s cybersecurity framework. These levels include:

  • Level 1 – Requires a contractor to practice basic cyber hygiene like using antivirus software and regular password updates.
  • Level 2 – Documenting intermediate cyber hygiene practices to protect Controlled Unclassified Information (CUI).
  • Level 3 – Adopting good cyber practices using an institutionalized management plan following NIST 800-171 R2.
  • Level 4 – Developing processes to review current cybersecurity practices and measure the effectiveness of the framework against advanced persistent threats (APTs).
  • Level 5 – The highest level of certification requires a standardized process with optimized control across the entire organization to protect and respond against APTs.

Establishing an Effective Cybersecurity Framework

To protect your organization, IBOX works to secure the nation’s digital supply chains with public agencies and private firms. Our team of experienced and certified cybersecurity professionals can assist any company to understand the risks involved and develop the necessary controls to protect the entire information management environment.

Share

Tim Mercer author headshot

Technology Executive | Business Leader | Investor

A true “bootstrapped entrepreneur,” he has started and scaled several businesses from zero to multimillion dollars in revenue. Tim is a US Army veteran and a graduate of the Small…

Learn More

Find out if you qualify to be a Forbes Books author.