With a mission to promote innovation and industrial competitiveness, the U.S government with the partnership of private entities and academicians has prepared this voluntary framework. The Framework is voluntary guidance, based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders. The Framework’s Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.
The Core represents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. This Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. An organization can use this Framework to determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment. This Framework guides how awareness of real and potential threats and vulnerabilities can be used to enhance an organization’s cybersecurity program.