Framework Profile

Framework Profile

The Framework Profile represents the cybersecurity goals, based on business needs, which are chosen from the Framework Categories and Subcategories. It is used to identify opportunities for improving a cybersecurity program. This is done by comparing a “Current” Profile (where you are) with a “Target” Profile (where you want to be) and then addressing the gaps to meet cybersecurity objectives. Examples of cybersecurity objectives could be “Prevent Threats”, “Reduce Vulnerabilities”, and “Prepare for contingencies”.

Current Profile

The Current Profile reflects the cybersecurity outcomes that are currently being achieved by the agency. To develop a Current Profile, review all of the categories and subcategories and determine those most important to the agency. The Current Profile designed for use with the Cybersecurity Control Implementation Interface (CCII), will take the agency through a list of controls that directly relate to the categories and subcategories of the Framework as it is currently being performed. This can then be used to help prioritize and measure progress toward the Target Profile.

Target Profile

The Target Profile indicates the outcomes needed, from the categories and subcategories, to achieve the desired cybersecurity goals. To develop a Target Profile, the agency should use the completed Current Profile to determine which cybersecurity goals need to be added to achieve the desired state. The Target Profile designed for use with the CCII will take the agency through a list of controls that directly relate to the categories and subcategories of the Framework to determine the desired level of performance. The CCII can be used repeatedly to perform incremental improvements to an agency's cybersecurity program. This approach enables an organization to prioritize cybersecurity activities based on its resources (e.g. staffing, funding).