Success Stories - Guidance on Preparation & Review
Criteria for Submission
Candidates for success stories may submit ideas to NIST before they prepare the document – or they may simply submit drafts to NIST for review and approval.
All text will be approved both by NIST and the user organization before public release.
Success stories must avoid text or images that suggest NIST’s endorsement.
NIST will make success stories available on the Cybersecurity Framework website and as handouts. Organizations featured in success stories are encouraged to distribute them directly – but should not use success stories to promote products or services.
Organizations featured in success stories will be asked to review and update text annually; outdated stories may be removed from NIST’s website.
How to Submit
- Success Story correspondence (drafts, ideas, questions, etc.) should be addressed to cyberframework [at] nist.gov (subject: Success%20Stories)
Success Story Layout
See the Catalog of existing Success Stories for recommended layouts. A template is available here, but its use is not required. Generally, layouts should use the following approach:
- Quote from a senior official with the organization citing specific benefits of their use of the Framework.
- Three bullets that summarize the success story, including size/type of organization and how the Framework helped to improve cybersecurity risk management (e.g., more comprehensive, enabled prioritization of activities and resources, improved communications and partnerships along the supply chain.)
Main Body Text:
- Basics about the organization: size, sector, location (facilities, staff, customers), use of contractors, role in supply chains, dependence on supply chains, past cybersecurity-related history.
- Prior approach to cybersecurity risk management.
- Why the Framework was selected.
- To standardize/simplify language to improve communications internally or externally.
- To prioritize requirements and impactful investments.
- To self-assess. To be aligned internationally.
- To understand and address different threats, vulnerabilities, risks, and risk tolerances.
- To meet a third party’s requirements.
- To strengthen the nation’s cybersecurity infrastructure.
- Extent and process for using the Framework, including the role of champions and how the Framework was used (e.g., to start a risk management program, improve a program, assess the organization’s situation, meet leadership’s needs).
- When use of the Framework began, how it was rolled out, what parts of the organization were involved (e.g., across multiple business units, piloted by one unit), training provided, use of contractors.
- Which elements of the Framework were used and why: Core, Implementation Tiers, Profiles, and Informative References.
- Role of contractors or partners in using the Framework.
Results and Impacts
- Specific benefits of using the Framework (e.g., to identify gaps, to refocus or set priorities, to gain greater awareness and alignment across the organization internally and throughout the supply chain.)
- Quantifiable (where possible) benefits and costs of using the Framework, including staff time, assistance from contractors.
- Steps that contributed to – or would have improved – successful use of the Framework (e.g., how the initiative was launched and the importance of laying the groundwork/getting buy-in, questions from leadership that needed to be addressed).
- Issues that arose during launch and use and how they were resolved.
- Aspects of use that were unexpected (positive and negative).
- How to improve cost-effectiveness and efficiency of using the Framework.
- How the organization will continue to use the Framework, including modifications to prior style of use (e.g., expanded use of Tiers, to drive budget decisions, to inform senior leadership and/or auditors, to better measure benefits and costs of cybersecurity risk management efforts).
Second Page Left Sidebar:
- Overview five bullets about Framework uses and Framework functions wheel graphic provided by NIST.
Second Page Bottom:
Contact Info/Resources, including: user organization’s contact, Cybersecurity Framework website URL, NIST contact (cyberframework [at] nist.gov (subject: Success%20Stories) )
Additional Notes and Tips:
- Avoid acronyms.
- Use bullets liberally to enable scanning by reader.
- Use appropriate graphics to complement the success story; may be photos, diagrams, or illustrations but should not promote a product or service.
- Submit drafts in Word; final layout (including graphics) will be prepared by NIST and approved by the Cybersecurity Framework program manager at NIST and the user organization’s lead contact prior to public posting and distribution.