Skip to main content

Framework Core

The Framework Core consists of common cybersecurity activities and goals. It is comprised of five concurrent and continuous functions representing activities that assist with defining and implementing the cybersecurity program. The functions are Identify, Protect, Detect, Respond, and Recover.

Functions are subdivided into categories representing cybersecurity goals which tie agency and security needs to desired outcomes. Examples of categories include Asset Management, Access Control, and Detection Processes.

Categories are further divided into subcategories that provide specific outcomes of technical and/or management activities. Examples of subcategories include External information systems are catalogued, Data-at-rest is protected, and Notifications from detection systems are investigated.


The Identify Function describes activities that will develop an agency's understanding with regard to managing cybersecurity risk to systems, assets, data, and capabilities. These activities will enable an agency to focus and prioritize its cybersecurity efforts by deepening the understanding of business context, available resources, and potential cybersecurity risks.

Asset Management


Managing cybersecurity assets (e.g. data, personnel, devices, systems, and facilities ) that enable an agency to achieve its business purposes. These assets should be identified and managed based on their importance to business objectives and the types of cybersecurity risk the agency deems acceptable or unacceptable.

  1. Inventory all physical devices (i.e. computers, routers, hubs) and systems within the agency.
  2. Inventory all software platforms (e.g. Java, .NET) and applications (e.g. Microsoft Word) within the agency.
  3. Create diagrams of agency communication paths (i.e. communication between two or more devices ) and in which data can flow (i.e. a representation of the way data "flows" through an information system, network, or between users).
  4. Catalog external information systems (i.e. information systems belonging to entities external to the agency) .
  5. Prioritize resources (e.g. hardware, devices, data, and software) based on their security classification (e.g. high, moderate, and low), how critical it is to the mission of the agency, and their business value.
  6. Establish cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g. suppliers, customers, partners).

Associated Artifacts

Business Environment


Deepening the understanding of the business environment (e.g., an agency's mission, objectives, stakeholders, and business activities). This information should then be prioritized and used to assign cybersecurity roles and responsibilities, and also to make risk management decisions.

  1. Identify and internally communicate the agency's role in the supply chain (i.e. what good or service does the agency provide and how would an incapacitation of the agency affect entities on both sides of the supply chain?) .
  2. Identify and internally communicate the agency's place in critical infrastructure (e.g. assets, systems, and networks so vital that their incapacitation or destruction would have a debilitating effect) and its industry sector (i.e. banking, manufacturing, communications, etc.).
  3. Determine and internally communicate the priorities for the agency mission, objectives, and business activities.
  4. Determine agency dependencies and critical functions and be aware of how both affect delivery of critical services.
  5. Establish resilience requirements (i.e. establish a contingency plan addressing continuity of operations) to support delivery of critical services.



Using policies, procedures, and processes to manage and monitor an agency's regulatory, legal, risk, environmental, and operational requirements. These documents need to be understood and used to make decisions in managing cybersecurity risk.

  1. Create an agency information security policy.
  2. Coordinate and align information security roles and responsibilities with internal roles and external partners.
  3. Be aware of and manage legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations.
  4. Use governance and risk management processes to address cybersecurity risks.

Risk Assessment


Determining and understanding the cybersecurity risk to agency operations (including mission, functions, image, or reputation), agency assets, and individuals.

  1. Identify and document vulnerabilities of agency assets.
  2. Ensure threat and vulnerability information is being received from information sharing forums and sources within the security community.
  3. Identify and document both internal (i.e. uses the agency infrastructure to connect to the agency network) and external cybersecurity threats (i.e. does not use the agency infrastructure to connect to the agency network).
  4. Identify potential business impacts and the likelihood of those business impacts occurring.
  5. Use threats, vulnerabilities, likelihood of occurrence, and business impacts to help determine risk.
  6. Identify and prioritize agency risk responses (i.e. the way the agency responds to or manages cybersecurity risks) to cybersecurity events.

Associated Artifacts

Risk Management Strategy


Determining an agency's business priorities and constraints, risk tolerances, and assumptions and using them to support cybersecurity risk decisions.

  1. Establish and manage risk management processes, and ensure stakeholders agree to them.
  2. Determine and clearly communicate the agency's risk tolerance.
  3. Use the agency's role in critical infrastructure and a sector specific risk analysis to assist with determining risk tolerance.

Supply Chain Risk Management


The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

  1. Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.
  2. Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process.
  3. Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
  4. Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
  5. Response and recovery planning and testing are conducted with suppliers and third-party providers.