The NIST cybersecurity framework is comprised of three main components:
- The Core
- Implementation Tiers
In this post we will be focusing on component #3, profiles.
What are NIST Cybersecurity framework profiles?
The framework profiles enable organizations to create a roadmap for reducing cybersecurity risk. Essential it's a tool for organizations to identify opportunities for improvement in their cybersecurity posture. Each organization has a unique alignment of requirements, risk appetite, resources, and objectives which are weighed against desired outcomes from the Framework Core.
An organization can use profiles to compare their Current Profile against a Target Profile. In doing so the organization can observe gaps in their cybersecurity posture as well as identify opportunities for improvement. Given that this is voluntary, there is no "right" or "wrong" way to utilize profiles. It's simply a tool to help optimize your use of the Cybersecurity Framework as a whole.
If you're not sure where to start, one method would be to map out your cybersecurity requirements, objectives, methods of operation, and current practices. Compare this against the subcategories provided in the Framework Core to create a Current-State Profile.