Perspectives relevant to State, Local, Tribal, and Territorial governments.
“The State of Illinois has adopted the NIST Cybersecurity Framework for the development and improvement of Illinois’ cybersecurity program. Embracing this framework across the State of Illinois enables the state to better understand, manage and reduce cybersecurity risk, enhances communication through the establishment of a common language and provides a consistent cybersecurity maturity measurement capability. While flexible, the adoption of the NIST Cybersecurity Framework as part of the enterprise approach to cybersecurity provides all agencies, boards and commissions with a common and widely-accepted roadmap.”
State of Illinois Cybersecurity Strategy 2017 - 2019 (p. 15)
“State governments are utilizing the Framework to properly identify cybersecurity risk and adopt measures to address gaps in their security posture…. Cybersecurity remains a priority for state CIOs and NASCIO applauds NIST for their commitment to guiding and assisting state government stakeholders as they mature in their enterprise risk management approaches.”
Mark Raymond - President, Chief Information Officer, State of Connecticut and Doug Robinson - Executive Director, National Association of State Chief Information Officers (NASCIO)
April 10, 2017 – NASCIO RFC Response
“The cybersecurity framework allows organizations—regardless of size, degree of cyber risk, or cybersecurity sophistication—to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure. Organizations can use the framework to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity. The cybersecurity framework also offers a methodology to protect privacy and civil liberties to help organizations incorporate those protections into a comprehensive cybersecurity program.”
Federal Cybersecurity Programs: A Resource Guide, National Governors Association, October 2014
The State of Texas Agency Security Plan template developed by the Department of Information Resources uses a common language to address and manage cybersecurity risk in a cost-effective way, based on business needs, without placing additional regulatory requirements on agencies. The template is divided into five concurrent and continuous functions, which are the same as the Cybersecurity Framework’s functions.
“Minnesota assesses agencies’ security risks using a “score card” that provides a high-level overview of security across agencies for executives who may not be subject matter experts. Agency heads can examine the 60 sub-metrics in each score card (aligned to the five core functions of the NIST Framework) and focus on boosting specific scores.,..Their [Illinois] strategy contains a grid on how each objective aligns with the NIST Cybersecurity Framework”
NGA Governors Guide to Cybersecurity, July 2016
“Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.”
“The Nationwide Cyber Security Review (NCSR) is a voluntary self-assessment survey that is now aligned to the NIST CyberSecurity Framework…. the U.S. Department of Homeland Security (DHS) has partnered with the Center for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC), the National Association of State Chief Information Officers (NASCIO), and the National Association of Counties (NACo) to develop and conduct the NCSR [which] can help serve as a tool to measure progress in cybersecurity and to drive initiatives and priorities according to the identified needs of the SLTT governments.”
The Contra Costa County (CA) Employment & Human Services Department uses the Cybersecurity Framework in its Security Maturity Self-Assessment
Florida Agency for State Technology’s Florida Cybersecurity Standards Risk Assessment Tool v2.2 (aligned to NIST CSF v1.1)
(This risk Assessment tool was developed by the Florida Agency for State Technology to manage cybersecurity risk. The tool’s worksheets—as well as the underlying calculations—can be modified by organizations to meet their specific needs.)
The City of Houston's Cybersecurity Control Implementation Interface (CCII) is a web based application/collection of tools that provides access to the policies and procedures boilerplates, interactive utilities, FAQ's, a step-by-step road map, and best practices for the implementation of the NIST Cybersecurity Framework. Cybersecurity Control Implementation Interface
Resources related to this user group.