Question: Why is Cybersecurity Assessments an Application? Answer: We used an application because each Cybersecurity Assessment has multiple data points that could not be captured in a single question in a questionnaire. One of most important parts of the Cybersecurity Framework is deciding which informative reference that you are using. If this were in questionnaire format, you could not link questions to informative references, so the user experience and ability to report on the results would suffer.
Question: Why did you create a new application, Cybersecurity Framework Library, to store the content for the Cybersecurity Framework and not use Authoritative Sources? Answer: The reason that is was built this way is that the bottom level of the Cybersecurity Framework, Informative References, need the ability to reference all levels of Authoritative Sources. Some Informative References point at the second level of an authoritative source while another might point at the fourth level.
Question: How is the Cybersecurity Framework different than a traditional Satisfied/Not Satisfied control assessment? Answer: The Cybersecurity Framework is not meant to be a control assessment, but rather an assessment of cybersecurity maturity. This why the Cybersecurity Assessments application asks the user to grade themselves on Tiers rather than a Satisfied/Not Satisfied control assessment. The tiers allow organizations to identify gaps in their desired cybersecurity posture.
For example, a company might have a Target Tier of 4, but their Current Tier is 2. This would identify where an organization might need to allocate resources. Additionally, you could end up with a Target Tier of 2, but a Current Tier of 4. This would mean that the organization is investing too much into a certain area. You can see this happen after data breach where an organization starts buying every single possible technology that could help solve the problem even though many of those technology’s functionality overlap or exceed the needed functionality.