Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Perspectives on the Framework

General perspectives about the NIST Cybersecurity Framework

Perspectives intended for general applications.

Improving communication and understanding around cybersecurity: Troy Leach (PCI Security Standards Council), Linda Conrad, (U. of MD), Dave Simprini (Grant Thornton), Koushik Subramanian (UI Labs)
 
Identifying gaps in cybersecurity capabilities: Robert Mayer (USTelecom)

 

Flexibility and ease of use:  Leo Simonovich (Siemens), Daniel Caduff, (Switzerland Federal Office for National Economic Supply), Rob Arnold (Threat Sketch), Denyette Depierro (American Bankers Association), Robert Mayer (USTelecom), Bruce Potter (Expel)
The Framework's "Identify" function:  Stuart Daniels (Government of Bermuda)
Changing cybersecurity culture: Russell Schaefer (BCG), Erica Hupka (U. of Kansas Medical Center, Koushik Subramanian (UI Labs), Daniel Caduff (Switzerland Federal Office for National Economic Supply)
 
The Framework's "Respond" function: Rob Arnold (Threat Sketch)

“We adopted the CSF as the foundation of our cybersecurity practice back in 2014 and so it drives all of our standards, all of our strategies, all of our architectures, and all of our communications.”
Michael Lewis, Chevron, NIST Profile on Responsible Use of PNT Services (@ 2:01:53), September 15, 2020


"Cybersecurity is just not a tech challenge, solved only in acquiring a technical solution. It is a business issue that must be addressed comprehensively through people, processes, and technology. The NIST CSF provides a comprehensive and programmatic approach to bridge the organization's businesses objectives with their security objectives, integrates with other industry security control standards, and is flexible so that any organization can adapt to best suit their needs."

Abby Daniel, Amazon Web Services (AWS) Public Sector Manager for Business Development
August 30, 2019


"The use of the Cybersecurity Framework in our industry primarily is to have a common approach, to have a common rational resource efficient approach to cybersecurity. It makes the entire ecosystem of financial services safer. It can be applied to international expectations around cyber as well as state and national...
….We found for our members, which include the largest global institutions as well as the smallest community banks that the use of the NIST Cybersecurity Framework was able to reduce their risk management burden about 43% for the largest banks to 73% for the smallest institutions."

Denyette DePiero, Vice President & Senior Counsel, Cybersecurity and Payments Policy, American Bankers Association
November 8, 2018 - NIST Cybersecurity Risk Management Conference   


"This Cybersecurity Framework really provides an extension to the cybersecurity solutions that people already have in place. And what it really brings is a much higher level of transparency and trust to their customers, and stakeholders, and interested parties throughout the organization."

John DiMaria, Assurance Investigatory Fellow, Cloud Security Alliance
November 8, 2018 - NIST Cybersecurity Risk Management Conference   

Interview Video Clip 

See all General Perspectives

Resources related to this user group.

Academic perspectives about the NIST Cybersecurity Framework

Perspectives related to the academia discipline.

“There are many security frameworks, but we found that the Cybersecurity Framework was well-aligned with our main objective, which was to establish a common language for communicating cybersecurity risks across the Division,”

Plamen Martinov, CISO, Biological Sciences Division, University of Chicago
April 2018 - Framework Success Story


"There are many security frameworks, but we found that the Cybersecurity Framework was well-aligned with our main objective, which was to establish a common language for communicating cybersecurity risks across the Division….The Cybersecurity Framework enabled the BSD to identify security requirements as a set of target outcomes to be achieved, while enabling departments to maintain internal processes and procedures regarding how to achieve those outcomes. As a result…. each department has gained an understanding of BSD’s cybersecurity goals and how these may be attained in a cost-effective manner over the span of the next few years. Using the Cybersecurity Framework helped foster information sharing and good practices among departments.”

Biological Sciences Division of the University of Chicago
Applying the Cybersecurity Framework at the University of Chicago: An Education Case Study


“We wanted to develop an action plan for cybersecurity. Based on the Cybersecurity Framework, the Baldrige Cybersecurity Excellence Builder enables us to strategically choose where we are going to invest our time or resources. It has helped us explain to people outside information security what we do and to hone our communication skills, especially with the senior leaders of the organization so they can be advocates for us. It’s enabled deliberate reflection on what is and isn’t working well, what are our gaps are, what we should be offering, and how that might diverge from where we are today. This framework also has allowed us to open the door to a lot more people for this conversation.”

Steffani Webb, Vice Chancellor for Administration, University of Kansas Medical Center

Resources related to this user group.

Perspectives about the NIST Cybersecurity Framework related to the 16 U.S. Critical Infrastructure sectors

Perspectives related to the 16 U.S. Critical Infrastructure sectors.

 

Erica Hupka from the University of Kansas Medical Center talks about the healthcare community's use of the NIST Cybersecurity Framework.

“…the NIST Cybersecurity Framework was instrumental in identifying best practices and voluntary measures that can help companies operationalize security risk management and security-by-design….The NIST Cybersecurity Framework is in many respects the seminal document on cybersecurity risk management.”

Loretta Polk, Vice President & Deputy General Counsel, and Rick Chessen, Senior Vice President Law & Regulatory Policy, NCTA – The Internet & Television Association (NCTA)
January 14, 2019 - Response to the Privacy Framework RFI


“There are many available standards our cybersecurity community may utilize to guide an agency in their quest for furthering its cybersecurity program. With NIST’s Cybersecurity Framework (CSF) designated as a tool federal agencies should use, our local community, across the Nation, was incentivized to also follow the Framework. The NIST CSF has served as a superb standard to enable all agencies to be on the same ‘measurement’ page. This allows agencies to be measured and evaluated equally. The adoption of the NIST CSF for MS-ISAC’s Nationwide Cybersecurity Review (NCSR) was a huge step in improving our state, local, tribal and territorial (SLTT) communities’ metric of year-to-year and peer-to-peer comparisons on a national scale. As CISO to both Napa and Mono Counties (California), I have greatly benefited by using NIST’s CSF in conjunction with MS-ISAC’s NCSR. The majority of California counties have also adopted NIST’s CSF as the appropriate tool for our statewide standard.” 

Gary Coverdale, CISO, Napa and Mono Counties, CA
November 2018 - Framework Success Story


"We have worked with a variety of industries, primarily in the private sector, that have had a thirst to find some mechanism to improve how they identify and articulate risk.What the CSF does so well is create an ability to take very complex risk concepts and produce a simplified outcome that can be effectively communicated to a broad group of stakeholders. This provides a way to express to third parties -- that may have direct access to sensitive data as part of a service they offer -- how risk has been evaluated by their business partners. In turn, that creates a more healthy conversation between companies as to how best protect that data."

Troy Leach
CTO - PCI Council

See all Critical Infrastructure Perspectives

Resources related to this user group.

Perspectives about the NIST Cybersecurity Framework from and for U.S. Federal Agencies

Perspectives from and for U.S. Federal Agencies"​​​​​​

 

Users of the NIST Cybersecurity Framework talk about how it can help change an organization's cybersecurity culture. Featured: Russell Schaefer, BCG Platinion North America; Erica Hupka, University of Kansas Medical Center; Koushik Subramanian, UI Labs; and Daniel Caduff, Switzerland's Federal Office for National Economic Supply

"Another key resource developed through the collaboration between government and industry is the National Institute of Standards and Technology Cybersecurity Framework (https://www.nist.gov/cyberframework). This voluntary framework provides a mapping of cybersecurity control objectives to industry standards, guidelines, and practices designed to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk."

January 27, 2020 - OCIE Cybersecurity and Resiliency Observations (p. 10)


“Our postmarket guidance outlines a risk-based framework manufacturers should use to ensure they can quickly and adequately respond to new cybersecurity threats once a device is in use. The FDA’s policy leverages the National Institute for Standards and Technology’s Framework for Improving Cybersecurity of Critical Infrastructure. This underscores the importance of adoption by medical device manufacturers of the Framework’s five core functions – identify, protect, detect, respond and recover.” 

Statement from FDA Commissioner Scott Gottlieb, Oct 1, 2018


“I also encourage every American to learn more about how to protect themselves and their businesses through the Department of Homeland Security’s STOP.THINK.CONNECT. campaign and the Department of Commerce’s NIST Cybersecurity Framework.” 

President Donald J. Trump
September 28, 2018 - Presidential Proclamation on National Cybersecurity Awareness Month


“…NIST and industry, which jointly developed the Framework, are pleased that the Framework is being identified as an ideal means to manage agencies’ cyber risks.”

Ann M. Beauchesne, Senior Vice President, and Matthew J. Eggers, Executive Director, Cybersecurity Policy, U.S. Chamber of Commerce
January 19, 2018 – US Chamber of Commerce RFC Response

See all Federal Perspectives

Resources related to this user group.

Perspectives about the NIST Cybersecurity Framework relevant for international organizations and governments of other nations

Perspectives relevant for international organizations and governments of other nations.

 

Users of the NIST Cybersecurity Framework talk about its use by the international community. Featured: Stuart Daniels, Government of Bermuda; John Dimaria, Cloud Security Alliance; Mihoko Matsubara, Nippon Telegraph and Telephone Corporation; Daniel Caduff, Switzerland's Federal Office for National Economic Supply; and Leo Simonovich, Siemens

"A lot of cybersecurity issues is still about raising awareness among people. It's still about making people aware that cybersecurity is not a state they can achieve but a process they have to execute every day again and again. And that's really the huge benefits that in this Cybersecurity Framework provided to us because it's this change of thinking.
It's not thinking of security as a state you can achieve, but it's a way of thinking security as a process. And that's really something that helped us to address the different challenges in cybersecurity."

Daniel Caduff, Deputy Head, ICT DIvision, Federal Office for National Economic Supply, Government of Switzerland
November 8, 2018 - NIST Cybersecurity Risk Management Conference 


"When the NIST Cybersecurity Framework was first introduced, it was introduced at fairly senior levels, to members of Cabinet. And they were very responsive to that. And they were very impressed that this was a framework that was endorsed and developed by the US federal government. And they were also impressed by the alignment with other standards such as COBIT and ISO, for example."

Stewart Daniels, Security Manager, Department of Information and Digital Technologies, Government of Bermuda
November 8, 2018 - NIST Cybersecurity Risk Management Conference   


"Since the NIST Cybersecurity Framework is globally applied, it has helped the Cross-Sector Forum have a shared language among different industry sectors and facilitated our comprehensive discussions between member companies in Japan and their subsidiaries outside Japan.” 

Koji Ueno, Chairperson, Japanese Cross-Sector Forum
October 2018 – Framework Success Story

See all International Perspectives

Resources related to this user group.

Perspectives about the NIST Cybersecurity Framework to assist small and medium sized businesses

Perspectives intended to assist small and medium sized businesses.

"NIST understands that not all businesses are created equal, and small and medium-sized businesses (SMBs) are especially strapped for resources, such as staff and budget, to manage risk. With this reality, the simplicity of the NIST CSF proves to be valuable....NIST is continuously looking ahead to create a framework that not only addresses future risks, but does so in a way that provides risk management blueprints for organizations, regardless of their size."

Richard Tracy, CSO, Telos Corporation

Siemens has seen a tremendous benefit from using the NIST Cybersecurity Framework, not just for ourselves to help mature our organization, but also with customers. Our customers are looking for clear, simple roadmaps. This is especially true for small and medium enterprises that have limited budgets and are looking for practical advice to help them get ready to stop cyber attacks

Leo Simonovich, Vice President and Global Head, Industrial Cyber and Digital Security, Siemens
November 8, 2018 - NIST Cybersecurity Risk Management Conference   


"Small businesses have much to gain by working through the Framework. They can use it to build a cybersecurity program from scratch or help strengthen an existing program. It also represents a valuable professional development exercise by extending conversations about cybersecurity and risk management across a company." 

Carrie Johnson, SDN Communications, Manager, Government and External Relations
October 31, 2016 - Sizing Up the NIST Cybersecurity Framework

See all Small and Medium Business Perspectives

Resources related to this user group.

Perspectives about the NIST Cybersecurity Framework relevant to State, Local, Tribal, and Territorial governments

Perspectives relevant to State, Local, Tribal, and Territorial governments.

“The State of Illinois has adopted the NIST Cybersecurity Framework for the development and improvement of Illinois’ cybersecurity program. Embracing this framework across the State of Illinois enables the state to better understand, manage and reduce cybersecurity risk, enhances communication through the establishment of a common language and provides a consistent cybersecurity maturity measurement capability. While flexible, the adoption of the NIST Cybersecurity Framework as part of the enterprise approach to cybersecurity provides all agencies, boards and commissions with a common and widely-accepted roadmap.” 

State of Illinois Cybersecurity Strategy 2017 - 2019 (p. 15)


“State governments are utilizing the Framework to properly identify cybersecurity risk and adopt measures to address gaps in their security posture…. Cybersecurity remains a priority for state CIOs and NASCIO applauds NIST for their commitment to guiding and assisting state government stakeholders as they mature in their enterprise risk management approaches.”

Mark Raymond - President, Chief Information Officer, State of Connecticut and Doug Robinson -  Executive Director, National Association of State Chief Information Officers (NASCIO)
April 10, 2017 – NASCIO RFC Response


“The cybersecurity framework allows organizations—regardless of size, degree of cyber risk, or cybersecurity sophistication—to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure. Organizations can use the framework to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity. The cybersecurity framework also offers a methodology to protect privacy and civil liberties to help organizations incorporate those protections into a comprehensive cybersecurity program.”

Federal Cybersecurity Programs: A Resource Guide, National Governors Association, October 2014

See all State, Local, Tribal and Territorial Perspectives

Resources related to this user group.

Created February 6, 2018, Updated October 5, 2020