NIST Cybersecurity Framework

One of the more interesting developments in the compliance world is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This framework is a result of Executive Order (EO) 13636, “Improving Critical Infrastructure Cyber Security,” which directed NIST, in cooperation with the private sector, to develop and issue a voluntary, risk-based cyber security framework that provides U.S. critical infrastructure organizations with a set of industry standards and best practices to better manage cyber security risks.

While the adoption of the Cybersecurity Framework is optional for now, it can be used by critical infrastructure industries and commercial organizations to build and strengthen their cyber security prevention, detection, response and improvement capabilities. The framework does not introduce new standards or concepts; it leverages and integrates industry leading cyber security practices that were developed by organizations, including NIST and the International Organization for Standardization (ISO). This is exciting news for our clients since many of the standards and best practices we support are referenced within the framework.

The framework provides an assessment mechanism that enables organizations to determine their current cyber security capabilities, set individual goals for a target state and establish a plan for improving and maintaining cyber security programs. The framework compliments, not replaces, an organization’s risk management process and cyber security program. It includes three main components: framework core, framework implementation tiers and framework profiles.

Components of the Cybersecurity Framework:

The framework core is a set of cyber security activities, outcomes and informative references that are common across critical infrastructure sectors, organized into five concurrent and continuous functions, that provide a strategic view of how your organization’s manages cyber security risk:

  • Identify: Develop your organizational understanding on how to manage cyber security risks to systems, assets, data and capabilities.
  • Protect: Develop and implement the appropriate safeguards necessary to ensure delivery of critical infrastructure services.
  • Detect: Develop and implement the appropriate activities to identify the occurrence of a cyber security event through continuous monitoring.
  • Respond: Develop and implement the appropriate activities to take action regarding a detected cyber security event through incident response.
  • Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event.

Each of the core functions is further divided into categories tied to programmatic needs and particular activities. The outcomes of activities point to informative references, which are specific sections of standards, guidelines and practices that illustrate a method to achieve the outcomes associated with each subcategory.

The framework implementation tiers describe the level of sophistication and rigor your organization employs in applying its cyber security practices, and provide a context for applying the core functions. The four tier levels describe approaches to cyber security risk management that range from informal/reactive response to adaptive/real-time response:

  • Tier 1 (Partial): Your organization’s cyber risk management profiles are not formalized, and are managed on an ad hoc basis. There is a limited awareness of your organization’s cyber security risk at the enterprise level, and an enterprise-wide approach to managing cyber security risk has not been established.
  • Tier 2 (Risk Informed): Your organization has established a cyber risk management policy that is directly approved by senior management — though not yet on an enterprise-wide basis. There is some effort by senior management to establish risk management objectives related to cyber security, to understand your organization’s threat environment and to implement cyber security procedures with adequate resources.
  • Tier 3 (Repeatable): Your organization is operating with formal cyber security procedures, which are regularly updated based on changes in risk management processes, business requirements and the changing threat and technology landscape. Cyber personnel are well-trained and can adequately perform their duties. Your organization also understands its dependencies and business partners, and receives information from them, which allows for collaboration and risk-based management decisions.
  • Tier 4 (Adaptive): Your organization adapts its cyber security practices in real time based on lessons learned and predicative indicators derived from current and past cyber security activities.

With continuous improvement incorporating advanced cyber security technologies, real time collaboration with partners and continuous monitoring of activities on their systems, your organization’s cyber security practices can rapidly respond to sophisticated threats.

The framework profile is a tool that provides your organization with a method for describing your cyber security program. Profiles enable your organization to align and improve cyber security practices based on your individual business needs, tolerance for risk and available resources. Utilizing the core and the implementation tiers, profiles can be developed describing the current “as-is” state (i.e. current profile) and the future “to-be” state (i.e. target profile). Once completed, a comparison of the current and target profiles identifies gaps that should be filled to enhance cyber security and provides the basis for a prioritized roadmap to help achieve these improvements.

Why should I be an early adopter of the Cybersecurity Framework?

The framework provides organization and structure to today’s many approaches to cyber security by assembling standards, guidelines and practices that are working effectively in industry. Regardless of whether you have a cyber security program in place, there may be unmitigated risks that can be discovered through application of the framework, leading to a more resilient cyber security program.

All too often, business cases for cyber initiatives are rejected as they fail to communicate the real benefit to an organization — largely due to the unfamiliar language used to convince targeted stakeholders. The framework solves this dilemma by providing a standardized approach for addressing cyber security goals through the creation of profiles. These profiles enable organizations to align and improve cyber security practices based on their individual business needs, tolerance for risk and resources.

By adopting the framework, your organization can collaborate with others through programs such as the online Cyber Security Forum (CForum) to share lessons learned, post questions about cyber security challenges and maintain the conversation to continually improve cyber security capabilities and standards.

While it’s not mandatory, it’s likely that the framework will eventually become the de facto standard for cyber security and privacy regulation. It may also impact legal definitions and enforcement guidelines for cyber security. Organizations that adopt the framework now may be better positioned to comply with future cyber security and privacy regulations.

By choosing to implement the framework now, organizations can potentially avoid accusations of cyber security negligence if a breach occurs. Organizations using the framework can demonstrate their due diligence in the event of a cyber attack by providing key stakeholders with information regarding their cyber security program via their established profile.

The framework provides organization and structure to today’s numerous approaches to cyber security by assembling multiple standards, guidelines and practices into one standardized format. If the framework is eventually regulated across multiple industries, this would enable auditors to evaluate cyber security programs and controls in one standard format — eliminating the need for multiple security compliance documents.

Organizations purchasing IT equipment or services can request a framework profile, providing the buying organization an opportunity to determine whether or not the supplier’s security measures align with their organizational security policies. In addition, the organization can provide a profile to the supplier or vendor to define mandatory protections that must be implemented as a condition of procurement.

The presidential directive that established the NIST Framework calls for the Department of Homeland Security to establish incentives to promote adoption of the framework. While incentives have not yet been established, there has been some discussion on cyber insurance, government grants, technical assistance and regulatory streamlining for those companies that adopt the framework.

Cybersecurity Framework Gap Analysis (Current Profile):

This is perfect for organizations that want to get started with the Cybersecurity Framework. 38North uses the framework to compare your organization’s current security activities with those outlined in the framework core. We create your current profile and measure how well your organization is achieving the outcomes described in the core categories and subcategories, aligned with the five high-level functions: identify, protect, detect, respond and recover. We’ll also provide a cost estimate to align your organization with the Cyber Security Framework, identify the risks and challenges, and point out the most critical action items.

Cybersecurity Framework Risk Assessment:

We conduct a detailed risk assessment based on your current profile to determine the likelihood of cyber security events, and the impact such events could have on your organization. We then present you with a detailed roadmap with prioritized recommendations on how to remediate weaknesses with existing or new management, operational and/or technical countermeasures.

Cybersecurity Framework Implementation Support (Target Profile and Action Plan):

Now that the risks have been identified based on your current profile, you need to develop your target profile. The target profile will document all applicable framework categories and subcategories in the context of your organization’s desired cyber security outcomes. 38North will develop an action plan based on the delta between your current and target profiles. And existing process, resources, infrastructure, systems and investments will be re-used if possible before new protective measures are considered.

Jeremiah Thompson

Director of Cloud Security Architecture

Jeremiah Thompson is 38North’s Director of Cloud Security Architecture. He leads 38North’s technical teams as they tackle engineering challenges and design secure, compliant cloud security architectures.

For over 18 years Jeremiah has helped clients in the commercial, defense and federal civilian sectors engineer secure solutions to modern cyber challenges. Prior to 38North, he served as a Director at Coalfire, one of the nation’s preeminent Third-Party Assessment Organizations (3PAOs). At Coalfire he led FedRAMP and DoD FedRAMP+ assessments supporting Fortune 500 organizations. He was also a Lead Information Security Compliance Auditor supporting the National Cancer Institute, and an Information Security Compliance Auditor at IBM.

Jeremiah currently holds CISSP, CISM, CAP, C|EH, Security+, Network+, CCSK and MCP certifications.

Andy Davidson

Senior Director of Cloud Security

Andy Davidson is Senior Director of Cloud Security at 38North. He leads 38North Senior Advisors as they prepare IaaS, PaaS and SaaS providers for the rigors of FedRAMP authorization. One of the nation’s most experienced FedRAMP practitioners, Andy has been supporting FedRAMP assessment and consulting efforts since the initial FedRAMP pilot project. He specializes in helping hyperscale Cloud Service Providers (CSPs) navigate FedRAMP requirements and successfully achieve Provisional Authorities to Operate (P-ATO).

Prior to 38North, Andy was Senior Director of FedRAMP and Assessment Services at Coalfire, one of the leading Third-Party Assessment Organizations (3PAOs). At Coalfire, he was responsible for growing the 3PAO practice and managing assessor teams in the execution of high profile assessments for Fortune 500 CSPs. He also helped start Veris Group’s 3PAO practice. Prior to Veris, Andy was an IT security consultant at Booz Allen Hamilton, supporting security assessments and engineering efforts across the federal government.

Linda Morales

Senior Director of Global Compliance

Linda Morales is the Senior Director of Global Compliance at 38North Security. She leads assessments for customers in the healthcare, federal and commercial spaces. She specializes in helping organizations prepare for and complete FISMA, FedRAMP and HIPAA assessments. She is adept at leading teams to deliver efficient, accurate security reviews that withstand scrutiny from federal regulators. Linda is also a recognized expert in Healthcare security, helping Health-IT providers secure and defend Protected Health Information (PHI).

Prior to 38North, Linda served as a Director at Endeavor Systems, where she played a key role growing the federal security services practice. She also served as Security Manager for the Federal Aviation Administration’s (FAA) enterprise-wide assessment program, with responsibility for 150+ systems across FAA.

Linda earned a BS in Computer Science and a Masters in Engineering Management, with a focus in Information Security, both from The George Washington University. She is also a Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP), and a Registered Practitioner with the Cybersecurity Maturity Model Certification Advisory Board (CMMC-AB).

Spence Witten

Senior Advisor and Director of Business Development

Spence Witten is a 38North Senior Advisor and Director of Business Development. He serves as a trusted security advisor to 38North’s clients in the cloud services, healthcare, financial, defense and critical infrastructure communities.

Prior to 38North, Spence was Vice President of Global Sales at Lunarline. Spence led sales and marketing across ten cybersecurity business units, culminating in Lunarline’s acquisition by Motorola Solutions. Prior to becoming VP of Global Sales, Spence ran Lunarline’s US Federal Security Services practice, overseeing Lunarline’s defense, intelligence and federal civilian portfolio. He was also an early employee of Endeavor Systems. He played a key role in Endeavor’s rapid expansion in the federal, civilian, defense, and research and development markets, through to Endeavor’s successful acquisition.

An Adjunct Professor at Cleveland-Marshall College of Law, Spence serves on the Board of Directors for the Center for Cybersecurity and Privacy Protection at Cleveland State University. He is also a member of CyberOhio, the official cybersecurity advisory board for the Governor of Ohio.

Virginia Suazo

Senior Director of Cloud Security Advisory

Virginia Suazo is 38North’s Senior Director of Cloud Security Advisory. She is responsible for leading 38North’s cloud security and compliance efforts, with a speciality in helping global CSPs juggle multiple overlapping regulatory frameworks.

Before joining 38North, Virginia worked at a tech startup supporting the first and only Red Hat OpenStack Platform that is FedRAMP-authorized. She played a vital role in successfully obtaining FedRAMP Moderate and High authorizations for IaaS, PaaS, and SaaS systems, while supporting other certifications including DoD IL4/5, PCI DSS, HIPAA and HITECH. Her 15 years of cybersecurity experience also includes several tours supporting US federal agencies, including State Department, Department of Justice, Health and Human Services, Food and Drug Administration, General Services Administration and Department of Transportation.

Matt Earley


Matt Earley is 38North’s founder and President. He started 38North – the premier cloud security advisory company, in the US and internationally – to solve complex security challenges while developing trusted relationships with an elite client base.

For over 20 years Matt Earley has designed and implemented security solutions for the US and Australian federal governments, critical infrastructure, utilities, and for global finance and healthcare organizations. He focuses on lean security architecture design and prioritizing security efforts based on the critical needs of his clients.

Prior to founding 38North, Matt was the director of federal services at Endeavor Systems, where he was responsible for Endeavor’s largest business unit, serving the Federal Aviation Administration, Department of Homeland Security and some of the world’s largest security operations centers. He was also a Senior Manager in the Australian Department of Defense, where he represented Australasia on the Common Criteria Management Board.

Matt has a Bachelor of Engineering in computer engineering from the University of Canberra in Australia, and a Master’s in engineering management from George Washington University. He also is a Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP).