This framework provides a common language for managing and expressing cybersecurity for external and internal stakeholders. It can be used to supervise cybersecurity risk and it can also be used to focus on delivering critical services within an organization. The framework’s core is made up of a few key concepts that include; identifying, protecting, detecting, responding, and recovering. These concepts are not a checklist but actually, key cybersecurity outcomes recognized by stakeholders as helpful in managing cybersecurity risk.

At my workplace, I could use this for a framework profile. framework profiles can be used to report the current state or desired target state of current cybersecurity activities. Depending on how sophisticated the organization is they could choose to have multiple profiles. The current profile tells the cybersecurity outcomes that are already being achieved and the target profile indicates the outcomes that need to be achieved for desired cybersecurity risk. I could also use this framework as a risk management tool. I could overlay this new framework on the current one and it can determine gaps in their security. Lastly, I could also use this framework as a foundation for a new program.