1. Identify – assets you need to protect
2. Protect – strengthen, train and limit impact
3. Detect – security problems and strengthen & train
4. Respond – to an incident
5. Recover – from an incident
Elections Cybersecurity, What we are Working Toward?
The NIST 800-53 Cybersecurity Framework for Election Management and Election Infrastructure
The framework is a set of desired cybersecurity activities and outcomes organized into Categories and aligned to Informative References. The Framework Core is designed to be intuitive and to act as a translation layer to enable communication between multi-disciplinary teams by using simplistic and non-technical language. The Core consists of three parts: Functions, Categories, and Subcategories. The Core includes five high level functions: Identify, Protect, Detect, Respond, and Recover. These 5 functions are not only applicable to cybersecurity risk management, but also to risk management at large. The next level down is the 23 Categories that are split across the five Functions. The image below depicts the Framework Core’s Functions and Categories.
The Categories were designed to cover the breadth of cybersecurity objectives for an organization, while not being overly detailed. It covers topics across cyber, physical, and personnel, with a focus on business outcomes.
Subcategories are the deepest level of abstraction in the Core. There are 108 Subcategories, which are outcome-driven statements that provide considerations for creating or improving a cybersecurity program. Because the Framework is outcome driven and does not mandate how an organization must achieve those outcomes, it enables risk-based implementations that are customized to the organization’s needs.
The five Subcategories pictured from the Business Environment Category (ID.BE) provide an example of the outcome focused statements that are found throughout the core. The column to the right, Informative References support the Core by providing broad references that are more technical than the Framework itself. Organizations may wish to use some, none, or all of these references to inform the activities to undertake to achieve the outcome described in the Subcategory.