NIST Cybersecurity Framework (aka Framework for Improving Critical Infrastructure Cybersecurity) is an excellent resource for all organizations. There are 3 components to the framework as below:

  1. Core – Provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand.
  2. Tiers – These implementation Tiers help assist organizations by providing context on how an organization views cybersecurity risk management.
  3. Profiles – These are an organizations’ unique alignment of their organizational requirements and objectives, risk appetite and resources against the desired outcomes of the Framework Core.

The Framework Core Elements work together as follows:

Let us take a deeper look into the Five Core Functions below. Note that these functions are not intended to form a serial path or lead to a static desired state. Rather, these functions should be performed concurrently and continuously from an operational culture that addresses the dynamic cybersecurity risk.

The table below lists some categories for each of the Core Functions:

NIST Cyber Security Functions

At a high level we can bucket the Five Core Functions as:

Most organizations tend to have lot of security tooling for Reactive side as compared to Proactive. For example most organizations deploy SIEM, UEBA and other tools on the Reactive side. However they don’t necessarily have tools for proactively identifying security weakness that could simply be plugged in or patched. Perhaps Proactive Cybersecurity is simply just not sexy enough.

We will all agree that vulnerability management tools needed a transformation since these typically required running a scan or scheduling one to identify issues. However, with ThreatWorx there is no need for scans (or scheduled scans) altogether. Also, ThreatWorx has support for inside-out security assessments (aka Third Party Cyber Risk Management [TPCRM]) for Supply Chain Risk Management, which is an important aspect under “Identify” Core Function of NIST Cybersecurity Framework. Now is the time to strengthen your approach to Proactive Cybersecurity.

Contact us for more details at