CISA

CISA Cybersecurity Framework
 

The CISA Cybersecurity Framework is a trusted, standards‑based model that helps organisations improve their cybersecurity resilience. Built around globally recognised best practices, it provides a clear roadmap for identifying risks, protecting critical systems, detecting threats, responding to incidents, and recovering operations effectively. The framework is flexible, scalable, and suitable for organisations of all sizes, enabling stronger security maturity and greater confidence in the face of evolving cyber threats.

Although widely associated with the NIST Cybersecurity Framework, CISA promotes and supports its adoption across critical infrastructure, public‑sector organisations, and private businesses. The framework is intentionally flexible, allowing organisations of any size or maturity level to use it as a roadmap for improving cybersecurity resilience.

The Five Core Functions

These functions form the backbone of the framework:

• Identify — Understand your assets, risks, dependencies, and vulnerabilities.

• Protect — Implement safeguards such as secure configurations, access controls, and staff training.

• Detect — Monitor systems and networks to spot suspicious or abnormal activity.

• Respond — Take coordinated action to contain and mitigate cybersecurity incidents.

• Recover — Restore operations, repair damage, and strengthen defences after an incident.

The CISA Cybersecurity Framework is built on a layered architecture: Core Functions → Categories → Subcategories → Informative References → Implementation Tiers → Profiles.
 

Together, these components create a flexible, risk‑based model that organisations can adopt regardless of size, maturity, or sector.

The Five Core Functions (The Strategic Backbone)

These are the high‑level pillars that define the entire framework. They represent the lifecycle of cybersecurity risk management.

1. Identify

Build understanding of assets, risks, business context, and governance.

2. Protect

Implement safeguards to ensure critical services remain secure.

3. Detect

Develop capabilities to identify cybersecurity events quickly.

4. Respond

Take action to contain and mitigate the impact of incidents.

5. Recover

Restore capabilities and strengthen resilience after an incident.

These functions are intentionally simple, making them accessible to non‑technical audiences while still powerful for enterprise‑level security programmes.

2. Categories (The Operational Domains)

Each function is divided into categories—thematic areas that describe what needs to be achieved.

Examples include:

• Asset Management

• Identity Management & Access Control

• Awareness & Training

• Data Security

• Anomalies & Events

• Incident Response Planning

• Recovery Planning

Categories translate the high‑level functions into operational focus areas.

3. Subcategories (The Specific Outcomes)

Subcategories are detailed, outcome‑based statements that describe what good security looks like.

Examples:

• “Physical devices and systems are inventoried.”

• “Data‑in‑transit is protected.”

• “Anomalous activity is detected in a timely manner.”

• “Response plans are tested.”

These are not controls—they are outcomes that organisations should achieve.

4. Informative References (The Standards Mapping Layer)

These map the framework to existing standards, such as:

• NIST SP 800‑53

• ISO/IEC 27001

• COBIT

• CIS Controls

This allows organisations to integrate the framework with whatever standards they already use.

5. Implementation Tiers (The Maturity Model)

Tiers describe how well an organisation manages cybersecurity risk, from ad‑hoc to adaptive.

Tier 1 — Partial

Unpredictable, reactive, inconsistent.

Tier 2 — Risk‑Informed

Some processes exist but are not organisation‑wide.

Tier 3 — Repeatable

Policies, processes, and governance are established and consistently applied.

Tier 4 — Adaptive

Organisation uses threat intelligence, automation, and continuous improvement.

Tiers help organisations understand their current maturity and plan improvements.

6. Profiles (The Customisation Layer)

Profiles allow organisations to tailor the framework to their:

• mission

• risk appetite

• regulatory requirements

• sector

• resources

Two key types:

• Current Profile — where you are now

• Target Profile — where you need to be

The gap between them becomes your roadmap.