Perspectives intended for general applications.
"It's really Framework first. It's incredibly important today, in this dynamic threat environment, that organizations build an elastic cybersecurity strategy that can grow and expand continuously to mitigate that risk that they face and the framework does exactly that."
Ed Cabrera, Trend Micros's Chief Cybersecurity Officer
June 7, 2018 - NIST Framework as a Foundation
"...business leaders and policymakers view the Framework as a pillar for managing enterprise cyber risks and threats, including at home and increasingly abroad....The U.S. Chamber wants companies to invest heavily in sound cybersecurity practices, particularly having a plan and exercising it regularly. The Framework enables organizations—regardless of their size, risk profile, or cyber sophistication—to develop a plan from scratch or improve an existing one."
Matt Eggers, Vice President, Cybersecurity Policy, U.S. Chamber of Commerce
April 16, 2018 - One and Done? Not for NIST and the Cyber Framework
“On behalf of the nearly 200 members of Business Roundtable, an association comprised of chief executive officers of leading U.S. companies representing all sectors of the economy….We believe that NIST’s leadership in developing the voluntary and risk-based Framework has improved our nation’s cybersecurity posture. The Framework provides companies of all sizes with a flexible approach to evaluate their cybersecurity posture as threats and vulnerabilities evolve…. Business Roundtable promotes use of the Framework with our member companies and believes the Framework provides a solid baseline for cybersecurity risk management practices. Many of our member companies leverage the Framework in various ways.”
Julie Sweet, Chief Executive Officer - North America Accenture and Chair, Technology, Internet and Innovation Committee, Business Roundtable
January 19, 2018 – Business Roundtable RFC Response
“…there is broad consensus in industry that the Framework is a sound baseline for businesses’ cyber practices, including internationally. The Chamber…wants to sustain the view held by most businesses and policymakers that the Framework is a cornerstone for managing enterprise cybersecurity risks and threats globally.…”
Ann M. Beauchesne, Senior Vice President, and Matthew J. Eggers, Executive Director, Cybersecurity Policy, U.S. Chamber of Commerce
January 19, 2018 – US Chamber of Commerce RFC Response
“We believe the good principles outlined in the Framework have the potential to help countless organizations …in the development of robust cyber risk management that is more proactive than reactive. Since NIST issued the initial Framework in 2014, PwC has advised clients on the many potential benefits of adopting the Framework. The relevance of the Framework has continued to grow as organizations from a wide array of sectors put it into action. For example, in PwC’s 2018 Global State of Information Security® Survey (GSISS), respondents from healthcare payer and provider organizations, as well as oil and gas companies, say the NIST Cybersecurity Framework is the most commonly adopted set information security standards in their respective industries. Further, many financial institution clients embrace benchmarking of their cyber risk management programs against the NIST Cybersecurity Framework.”
Sean Joyce, PwC’s Cybersecurity and Privacy practice
January 19, 2018 – PwC RFC Response
“ITI has long commended NIST’s work in partnering with the private sector and other stakeholders to further the development and use of the voluntary Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”), and Draft 2 incorporates important changes to deepen and broaden the effectiveness of the Framework in helping a broad array of stakeholders better manage cybersecurity risks. ITI continues to support the approach embodied in the Framework, which leverages public-private partnerships, is grounded in sound risk management principles, and helps foster innovation due to its flexibility and basis in global standards.”
John Miller, Vice President for Global Policy and Law, Cybersecurity and Privacy, Information Technology Industry Council (ITI)
January 19, 2018 – ITI RFC Response
“CA Technologies has been an active user of the Cybersecurity Framework for more than two years. The Framework helps provide a common lexicon to discuss cybersecurity risks and priorities throughout our enterprise, and with customers and suppliers. CA has adopted the Framework as the central, organizing foundation for our internal information security program, and it serves as the means through which we communicate CA’s cybersecurity posture to our Board of Directors. CA Technologies is utilizing the Framework to assess, prioritize, and improve our own cybersecurity program. Our use of the Framework reaffirmed and validated many of the controls and processes that we already had in place, and it also aligned with areas where we were investing to improve technology processes. We are using the Framework to continuously evaluate and measure our cybersecurity program and to prioritize the investments we are making to improve our overall posture in a constantly changing cyber threat landscape…. The Cybersecurity Framework is increasingly being adopted by a full range of critical infrastructure and other organizations, both in the US and internationally. The flexibility built into the Framework recognizes that different organizations have diverse business and cybersecurity priorities, and face a range of distinct threats.”
January 19, 2018 – CA Technologies RFC Response
“…ICBA supports the efforts by NIST to continue to promote the Framework to all sectors beyond critical infrastructure, particularly those not supervised and examined on their cybersecurity risk policies and practices.”
Jeremy Dalpiaz, Assistant Vice President, Cyber Security and Data Security Policy, Independent Community Bankers of America (ICBA)
January 19, 2018 – ICBA RFC Response
“TIA has participated in NIST’s process since the Framework’s inception and is pleased to see the Framework continue to gain popularity as an invaluable resource for cybersecurity risk management across sectors and internationally. TIA and its members look forward to continued partnership on this initiative as we reaffirm commitment to a voluntary, consensus-based, industry-driven approach. In the few years since its publication, the tangible, voluntary nature and utility of the Framework has led to its use beyond the scope of the critical infrastructure organizations for which it was originally conceived. Such use is indicative of the success of the Framework as a burgeoning cybersecurity risk management tool.”
Savannah Schaefer, Policy Counsel, Government Affairs Telecommunications Industry Association (TIA)
January 19, 2018 – TIA RFC Response
“We want to reiterate our support for how the NIST CSF leverages some of the most widely reputed and accepted certifications, which allows adopting organizations and their reviewers (e.g. third party auditors, regulators, oversight entities, etc.) to streamline and re-use, instead of over-engineer and redo.”
Chris Gile, Senior Manager, Amazon Web Services (AWS)
April 07, 2017 – AWS RFC Response
“Access Now commends NIST for draft changes that will improve the Framework, in particular by expanding on coordinated vulnerability disclosure and authentication. Implementation of vulnerability disclosure programs and authentication tools will improve security of the organizations and better protect the privacy of stored user data.”
Drew Mitnick, Policy Counsel and Amie Stepanovich U.S. Policy Manager and Global Policy Counsel, Access Now
January 19, 2018 – Access Now RFC Response
“The communications industry has “enthusiastically embraced” the Framework. In November 2017, NIST pointed to the Communications, Security, Reliability, and Interoperability Council (CSRIC) work mapping the Framework to industry activities as a resource for best practices on cybersecurity risk management…. CTIA and its members support NIST’s hard work and collaborative spirit to develop the Framework Version 1.0 and update it.”
Thomas K. Sawanobori, Senior Vice President and Chief Technology Officer; John A. Marinho
Vice President, Technology and Cybersecurity; Melanie K. Tiano; Director, Cybersecurity and Privacy, CTIA
January 19, 2018 – CTIA RFC Response
“The National Credit Union Administration (NCUA) regularly examines credit unions to ensure compliance with these standards and has relied on NIST's guidance to develop its IT examination procedures. Many NAFCU members have benefited from NIST's promulgation of the Framework by using its concepts and terminology to approach data and cybersecurity problems through a common vernacular. In addition, NIST's Framework has aided in the development of the Federal Financial Institutions Examination Council's (FFIEC) Cybersecurity Assessment Tool (CAT), which has served as an informative benchmark for credit unions and other financial institutions. The NCUA indicated in its 2018 Supervisory Priorities that its future cybersecurity examination procedures will substantially mirror the CAT's structure, which is itself a reflection of the Framework”…. NAFCU recognizes that the Framework has proven influential in harmonizing government cybersecurity standards and encourages NIST to continue to update the Framework as necessary….”
Andrew Morris, Regulatory Affairs Counsel, NAFCU
January 19, 2018 – NAFCU RFC Response
“Cybernance employs the NIST CSF as the foundation of our automated SaaS cyber assessment and monitoring platform, which enables corporate directors and non-technical stakeholders to engage in cyber risk and resilience oversight.”
“Symantec continues to incorporate the CSF into multiple aspects of our business, both internal and external. We remain strong advocates of the CSF and have dedicated resources to educate organizations and individuals across multiple industry verticals and promote the adoption of the Framework. We have conducted numerous Webinars across multiple industry verticals, including a seven-part series focused on the value of the CSF in Healthcare….”
Jeff Greene, Senior Director, Global Government Affairs & Cybersecurity Policy, Symantec Corporation
January 19, 2018 – Symantec RFC Response
“ISA has worked with the National Association of Corporate Directors (NACD) to integrate models, such as CSF, successfully into enterprise-wide risk management programs…. NIST’s revision in CSF v1.1 Draft 2 Section 4.0 adopts the same principles ISA recommended not only in its comments to CSF v1.1 Draft 1, but also those related to increasing board participation in security discussions, better alignment of cybersecurity with overall risk management and business goals, improved security practices, increased budgets, and fostering an organizational culture of security. Again, we applaud NIST in adopting this recommendation.”
Larry Clinton, President/CEO, Internet Security Alliance
January 19, 2018 – ISA RFC Response
“McAfee is committed to improving the global security ecosystem and has been demonstrating that support by our global outreach in support of the Framework….In our use of the Cybersecurity Framework, we treat it like the risk management framework that it is. As such, we believe tailoring the Framework to meet our business needs is a net positive….Over the last few years the Framework has successfully helped change the security landscape dialog from “compliance” to “risk management” within a large portion of U.S. organizations. This is an extremely positive trend. It is important the Framework continue to pursue this path.
The Framework commendably represents an effort to solve the complex problem of protecting yourselves from cybersecurity threats in a way that harnesses private sector innovation while addressing the cybersecurity needs of governments, businesses and citizens.”
Kent Landfield, McAfee LLC
January 19, 2018 – McAfee RFC Response
“When we asked about motivations for adopting CSF, the security framework driven by the US government, the leading reason for adoption was simply that it was a best practice (70%). This was the most common reason for adopting CSF, far ahead of any requirement by a business partner (29%), federal contract (28%), or other organization (20%).”
Dimensional Research, sponsored by Tenable Network Security
Trends in Security Framework Adoption: A Survey of IT and Security Professionals, March 2016
Tenable CSF Report
"Standard-setting is another path to ensure that companies are aware of best cybersecurity practices. The NIST Cybersecurity Framework, which recognizes five critical functions for managing cybersecurity risk: to identify, protect, detect, respond, and recover from cyber risks, creates a common lexicon for cybersecurity issues. It is an example of a standards tool that was originally targeted for critical infrastructure but then adopted by the broader government community (including other counties, such as Italy) and increasingly by the private sector (NIST 2017)."
The Council of Economic Advisors
February 2018 - The Cost of Malicious Cyber Activity to the U.S. Economy (p. 44)
"Directors should set the expectation that management has considered the NIST Cybersecurity Framework in developing the company’s cyber-risk defense and response plans."
"The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a proven collaborative effort by both the private sector and public sector. It can provide the public sector with a common language to address and manage cybersecurity risk in a cost-effective way, based on business needs, without placing additional regulatory requirements on organizations."
“We’ve seen small businesses up to large multinationals [use the framework] because of its flexibility…. Back when the framework was being developed…our CTO took a look at the draft and decided to map our CS capabilities to the Framework, and she found that it was much easier to communicate to the BOD about our cybersecurity posture. I think that goes a long way to describe the utility of the framework. People that don’t have a deep background in cs can understand id, protect, detect, respond, recover. So it really helps to facilitate that conversation. Externally, we have taken all of our solutions and mapped them to the now a little bit over 100 subcategories of the Cybersecurity Framework.”
Ken Durbin, Sr. Strategist, Symantec
April 23, 2018 - Embracing the NIST Cybersecurity Framework
"Adopting the NIST Cybersecurity Framework is the most universal solution to demonstrate a commitment to good cybersecurity stewardship. Having a solid understanding of the terminology and the concepts will improve communication with donors, staff, volunteers, vendors, and other partner organizations when aligning with the NIST Cybersecurity Framework."
Resources related to this user group.