Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

This page is no longer being updated and the information may be out of date.

CSF 1.1 Small and Medium Business Perspectives

Perspectives intended to assist small and medium sized businesses.

"NIST understands that not all businesses are created equal, and small and medium-sized businesses (SMBs) are especially strapped for resources, such as staff and budget, to manage risk. With this reality, the simplicity of the NIST CSF proves to be valuable....NIST is continuously looking ahead to create a framework that not only addresses future risks, but does so in a way that provides risk management blueprints for organizations, regardless of their size."

Richard Tracy, CSO, Telos Corporation

July 15, 2020 - Forbes.com - Small Business, Big Impact With NIST’s Cybersecurity Framework


Siemens has seen a tremendous benefit from using the NIST Cybersecurity Framework, not just for ourselves to help mature our organization, but also with customers. Our customers are looking for clear, simple roadmaps. This is especially true for small and medium enterprises that have limited budgets and are looking for practical advice to help them get ready to stop cyber attacks

Leo Simonovich, Vice President and Global Head, Industrial Cyber and Digital Security, Siemens
November 8, 2018 - NIST Cybersecurity Risk Management Conference   


"Small businesses have much to gain by working through the Framework. They can use it to build a cybersecurity program from scratch or help strengthen an existing program. It also represents a valuable professional development exercise by extending conversations about cybersecurity and risk management across a company." 

Carrie Johnson, SDN Communications, Manager, Government and External Relations
October 31, 2016 - Sizing Up the NIST Cybersecurity Framework


“Companies with more than 10,000 employees are slightly more likely to have adopted a security framework (90%) but even smaller companies with less than 1,000 employees report significant rates of adoption (77%).”

Dimensional Research, sponsored by Tenable Network Security
Trends in Security Framework Adoption: A Survey of IT and Security Professionals, March 2016 (p. 5)


“…the initial NIST Framework has proven useful in better focusing discussion and analysis of the nation’s preparedness and resilience, providing a voluntary resource that can be used by a company of any size to help understand and reduce its cyber risk…. Cybersecurity is a shared responsibility and NTCA looks forward to continuing its partnership with NIST to serve the cybersecurity needs of small communications operators.”

Jill Canfield, Vice President, Legal & Industry and Assistant General Counsel and Jesse Ward, Director, Industry & Policy Analysis, The Rural Broadband Association (NTCA) which represents nearly 850 carriers in 46 states, including small, hometown-based rural telecom providers.
April 10, 2017 – NCTA RFC Response


“We appreciate the deep expertise and the systematic collaborative approach to developing and updating the Framework that NIST has consistently demonstrated. Your changing the initial version of the draft to take into account some of the comments and suggestions submitted in 2017 is a reflection of this approach and of your commitment to working together with the industry, academia, and other stakeholders. The Cybersecurity Framework has become the foundation of cyber risk management for numerous enterprises. It has informed many decisions in cybersecurity and the broader field of cyber risk management."

Alex Krutov, President, Navigation Advisors LLC a small cyber risk analysis firm
January 19, 2018 – Navigation Advisors RFC Response


The National Restaurant Association (NRA) created and widely distributed last year the Cybersecurity 101: A Toolkit for Restaurant Operators guide that details the five functions of the framework in order to assist restaurant operators and executives in adopting an enterprise wide cybersecurity program. Further, the NRA has convened a working group of member companies to develop a cybersecurity framework for the restaurant industry, a sector-specific guidance based on the NIST framework for use by single-unit restaurant operators. More than 7 in 10 restaurants are single-unit operations. The NRA has also hosted NIST for presentations on the cyber framework during association events, including webinars and executive study groups….

National Restaurant Association's 
Cybersecurity 101: A Toolkit for Restaurant Operators 


The U.S. Chamber launched its cybersecurity roundtable series in 2014. This national initiative recommends that businesses of all sizes and sectors adopt fundamental Internet security practices, including using the framework and similar risk management tools, engaging cybersecurity providers, and partnering with law enforcement before cyber incidents occur. The Chamber is in the third year of its cybersecurity campaign….Each roundtable typically features cybersecurity principals from the White House, DHS, NIST, and local FBI and Secret Service officials.”

US Chamber of Commerce
February 9, 2016 – US Chamber of Commerce RFI Response


"One of the key findings is that the NIST Cybersecurity Framework, technically a voluntary standard from the National Institute for Standards and Technology, is becoming mandatory in some markets. Not only are many companies requiring it of their vendors for procurement, but many businesses are adopting it because it helps them run a better business. The NIST framework is the basis for BBB’s [Better Business Bureau’s] training program, “5 Steps to Better Business Cybersecurity.”

Better Business Bureau – 5 Steps to Better Business Cybersecurity

Resources related to this user group.

Created February 1, 2018, Updated February 26, 2024