Skip to main content

3: Create a Current Profile

The Organization develops a Current profile by indicating which Category and Subcategory outcomes from the Framework Core are currently being achieved.

Purpose

The purpose of this instruction is to continue facilitating the implementation of a security program. This specifically identifies steps to take to complete Step 3: Create a Current Profile for establishing or improving a Cybersecurity Program as identified in the NIST Cybersecurity Framework.

Scope

  • This instruction is somewhat independent of the previous two steps and will touch upon every control in the NIST Cybersecurity Framework in order to determine if the control outcomes are being achieved.
  • This instruction will use the tier system identified in the Framework Core to help determine at what level the control outcomes are achieved.  This is a slight modification to the way that NIST users the tier system, but conforms to the feedback from the NIST Cybersecurity Workshop that occurred in April 2016.

How Well are Outcomes Achieved?

Tool: We have developed a comprehensive questionnaire to assist with this effort. It breaks the controls down into simplified questions and asks questions based on your given answers. 

Now that the impact determinations have been made, the next step is to compare what outcomes are accomplished against the NIST Cybersecurity Framework recommendations. This should begin with the list of the NIST recommended controls.  Consider adding any controls from NIST Special Publication 800-53 that apply to the system based on the system impact determination.   

NOTE: If you are just starting out and many of your highest impact applications/systems are running across your primary network you should start with that as your first system (using a common controls approach)This will allow you to build from the network and adapt policy and procedures that will eventually encompass your entire agency. 

How to Determine the Current Profile

The best way to compare control outcomes is to go through each control and determine if the agency accomplishes this the way the control intends.

Tool: A tool has been developed that breaks down each of the NIST security controls into a series of questions.

For instructions: Pick a download location that will be used throughout this process and put the Current Profile Questionnaire in that location. The Current and Target profile tools directly reference each other.

  • Upon opening the Current Profile Questionnaire, ensure it is opened for editing and the content is enabled. 
  • The code within the spreadsheet is only used for hiding and expanding the questionnaire based on your answers.
  • The initial tab “Intro” displays a non-interactive comprehensive score of the data currently entered.  This will update as changes are made.
  • The tab labelled “Program Management” is based on your overall cybersecurity program, if the common controls have already been defined and implemented these should all be inherited.  
  • Each of the rest of the tabs correlate directly to the NIST Control Families as defined in NIST SP 800-53.
  • It is critical that this assessment be completed as accurately as possible.  The questions are based on the individual controls and the answers are created to best determine the level of conformance with the NIST Cybersecurity Controls that were identified previously.
  • The next step is about selecting the controls that are to be targeted for implementation and this will further affect your score.

References

Due to the nature of this step, it does not directly correlate to any of the functions or categories of the NIST Cybersecurity framework. Since the assessment is the current state of your cybersecurity program all controls are affected.