An Information Security Framework is designed to be flexible enough to be used both by organizations with mature cyber security and risk management programs and by those with less-developed programs. Implementation of the Framework does not imply that existing cyber security and risk management approaches are ineffective or need to be replaced. Rather, implementation means that the organization wishes to take advantage of the benefits that the Framework offers. In general, implementing the Framework provides a mechanism for organizations to:
• Assess and specifically describe its current and targeted cyber security posture.
• Identify gaps in its current programs, processes, and workforce.
• Identify and prioritize opportunities for improvement using a continuous and repeatable process.
• Assess progress toward reaching its target cyber security posture.
• Demonstrate the organization’s alignment with the Framework’s nationally recognized best practices.
• Highlight any current practices that might surpass the Framework’s recommended practices.
• Communicate its cyber security posture in a common, recognized language to internal and external stakeholders—including customers, regulators, investors, and policy makers.
Implementing the Framework can help organizations to strengthen their existing cyber security risk management approach and more easily communicate their use of particular cyber security practices to internal and external stakeholders. Organizations with less-developed cyber security risk management programs can use the Framework to define and establish a program that successfully addresses cyber security risk and communications commensurate with the organization’s business and critical infrastructure security objectives.