CSF 1.1 Federal Perspectives

Perspectives from and for U.S. Federal Agencies.

"Another key resource developed through the collaboration between government and industry is the National Institute of Standards and Technology Cybersecurity Framework (https://www.nist.gov/cyberframework). This voluntary framework provides a mapping of cybersecurity control objectives to industry standards, guidelines, and practices designed to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk."

January 27, 2020 - OCIE Cybersecurity and Resiliency Observations (p. 10)

“Our postmarket guidance outlines a risk-based framework manufacturers should use to ensure they can quickly and adequately respond to new cybersecurity threats once a device is in use. The FDA’s policy leverages the National Institute for Standards and Technology’s Framework for Improving Cybersecurity of Critical Infrastructure. This underscores the importance of adoption by medical device manufacturers of the Framework’s five core functions – identify, protect, detect, respond and recover.” 

Statement from FDA Commissioner Scott Gottlieb, Oct 1, 2018

“I also encourage every American to learn more about how to protect themselves and their businesses through the Department of Homeland Security’s STOP.THINK.CONNECT. campaign and the Department of Commerce’s NIST Cybersecurity Framework.” 

President Donald J. Trump
September 28, 2018 - Presidential Proclamation on National Cybersecurity Awareness Month

“…NIST and industry, which jointly developed the Framework, are pleased that the Framework is being identified as an ideal means to manage agencies’ cyber risks.”

Ann M. Beauchesne, Senior Vice President, and Matthew J. Eggers, Executive Director, Cybersecurity Policy, U.S. Chamber of Commerce
January 19, 2018 – US Chamber of Commerce RFC Response

“Although the Framework is an evolving guide that is not designed to serve as a regulatory standard, it establishes a useful common lexicon for businesses to discuss their approaches to cybersecurity.”

U.S. Financial Stability Oversight Committee 2017 Annual Report

“As the Framework recognizes , there’s no one-size-fits-all approach to managing cybersecurity risk.  Because organizations have unique risks—different threats, different vulnerabilities, different risk tolerances—their approaches to risk management will vary.  But that’s the benefit of the Framework:  It’s not a checklist, but rather a compilation of industry-leading cybersecurity practices that organizations should consider in building their own cybersecurity programs.  For most organizations, critical infrastructure or not, the Framework may be well worth using solely for its stated goal of improving risk-based security.  But it also can deliver additional benefits—for example, encouraging effective collaboration and communication with company executives and industry organizations.”

Federal Trade Commission
Business Blog - August 2016 

“The NIST CSF provides a roadmap for federal agencies and organizations to develop a robust cyber risk management plan that can evolve as quickly as threats do…The level of support for the NIST CSF shows that federal agencies and contractors are keenly aware that managing cyber risk is a critical issue at every level of an organization.”

Richard P. Tracy, CSO, Telos Corporation
The 2017 Public Sector Cyber Risk Management Report - September 26, 2017

“Data from the survey reveals strong support for the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) as 83 percent of federal employees and contractors said they favored the NIST CSF being mandated across federal agencies, which was a critical part of the President’s Cyber Executive Order in May 2017. Overall, 88 percent of respondents said that the NIST CSF ‘effectively helps organizations manage risk.’”

Telos Corporation
The 2017 Public Sector Cyber Risk Management Report - September 26, 2017

“In terms of federal adoption, 61 percent of respondents said they have started implementing the CSF, per the president’s cybersecurity executive order….There will likely be changes in processes and even technology as they work to mitigate risks and strengthen security strategies. And during those times of change, it’s important that senior leaders and the employees they serve understand the current state of cyber operations, how the CSF can help and what it will take to reach their desired end state. What makes the CSF such a valuable resource is there are measurable benefits. For example, using the “Identify” function of the Cybersecurity Framework can help agencies understand what security tools they have and whether they align with their mission and business values. Communicating the benefits of any investment in these terms provides clarity for leadership and other agency stakeholders. But agencies can’t stop there. Once cybersecurity investments are designated a priority, the appropriate budget must be in place to fund those initiatives. That’s a key area where the CSF can help, by enabling agency leaders, finance and cybersecurity professionals to speak the same language when talking about security and to properly fund those efforts.”

Symantec, DLT Solutions, and GovLoop,”Identifying Agency Risks with the NIST Cybersecurity Framework, Research Brief” October 2017

Resources related to this user group.