Perspectives relevant to State, Local, Tribal, and Territorial governments.
“State governments are utilizing the Framework to properly identify cybersecurity risk and adopt measures to address gaps in their security posture…. Cybersecurity remains a priority for state CIOs and NASCIO applauds NIST for their commitment to guiding and assisting state government stakeholders as they mature in their enterprise risk management approaches.”
Mark Raymond Doug Robinson President, Chief Information Officer, State of Connecticut and Doug Robinson President, Executive Director, National Association of State Chief Information Officers (NASCIO)
April 10, 2017 – NASCIO RFC Response
“The cybersecurity framework allows organizations—regardless of size, degree of cyber risk, or cybersecurity sophistication—to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure. Organizations can use the framework to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity. The cybersecurity framework also offers a methodology to protect privacy and civil liberties to help organizations incorporate those protections into a comprehensive cybersecurity program.”
The State of Texas Agency Security Plan template developed by the Department of Information Resources uses a common language to address and manage cybersecurity risk in a cost-effective way, based on business needs, without placing additional regulatory requirements on agencies. The template is divided into five concurrent and continuous functions, which are the same as the Cybersecurity Framework’s functions.
“Minnesota assesses agencies’ security risks using a “score card” that provides a high-level overview of security across agencies for executives who may not be subject matter experts. Agency heads can examine the 60 sub-metrics in each score card (aligned to the five core functions of the NIST Framework) and focus on boosting specific scores.,..Their [Illinois] strategy contains a grid on how each objective aligns with the NIST Cybersecurity Framework”
“Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.”
“The Nationwide Cyber Security Review (NCSR) is a voluntary self-assessment survey that is now aligned to the NIST CyberSecurity Framework…. the U.S. Department of Homeland Security (DHS) has partnered with the Center for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC), the National Association of State Chief Information Officers (NASCIO), and the National Association of Counties (NACo) to develop and conduct the NCSR [which] can help serve as a tool to measure progress in cybersecurity and to drive initiatives and priorities according to the identified needs of the SLTT governments.”
The Contra Costa County (CA) Employment & Human Services Department uses the Cybersecurity Framework in its Security Maturity Self-Assessment
The Florida Agency for State Technology uses the Cybersecurity Framework in its FCS Risk Assessment Tool The tool’s worksheets—as well as the underlying calculations—can be modified by organizations to meet their specific needs.
The City of Houston's Cybersecurity Control Implementation Interface (CCII) is a web based application/collection of tools that provides access to the policies and procedures boilerplates, interactive utilities, FAQ's, a step-by-step road map, and best practices for the implementation of the NIST Cybersecurity Framework. Cybersecurity Control Implementation Interface
“Adding this framework to the existing efforts led by the Secretary of Technology, Chief Information Officer, Chief Information Security Officer and the Virginia Information Technologies Agency will strengthen the Commonwealth’s ability to fight cyber crime and further enhance Virginia’s position as a leader in cybersecurity.”
Virginia Governor Terry McAuliffe, February 2014
Governor McAuliffe Announces Virginia Adopts National Cybersecurity Framework
Resources related to this user group.