Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Success Stories - Guidance on Preparation & Review

Criteria for Submission

  • Candidates for success stories may submit ideas to NIST before they prepare the document – or they may simply submit drafts to NIST for review and approval. 

  • All text will be approved both by NIST and the user organization before public release. 

  • Success stories must avoid text or images that suggest NIST’s endorsement. 

  • NIST will make success stories available on the Cybersecurity Framework website and as handouts. Organizations featured in success stories are encouraged to distribute them directly – but should not use success stories to promote products or services. 

  • Organizations featured in success stories will be asked to review and update text annually; outdated stories may be removed from NIST’s website.

How to Submit

  • Success Story correspondence (drafts, ideas, questions, etc.) should be addressed to cyberframework [at] (subject: Success%20Stories)

Success Story Layout

See the Catalog of existing Success Stories for recommended layouts. A template is available here, but its use is not required. Generally, layouts should use the following approach:

First Page:

Stakeholder Quote
  • Quote from a senior official with the organization citing specific benefits of their use of the Framework.
  • Three bullets that summarize the success story, including size/type of organization and how the Framework helped to improve cybersecurity risk management (e.g., more comprehensive, enabled prioritization of activities and resources, improved communications and partnerships along the supply chain.)

Main Body Text:

  • Basics about the organization: size, sector, location (facilities, staff, customers), use of contractors, role in supply chains, dependence on supply chains, past cybersecurity-related history.
  • Prior approach to cybersecurity risk management. 
  • Why the Framework was selected.

For example: 

  • To standardize/simplify language to improve communications internally or externally.
  • To prioritize requirements and impactful investments. 
  • To self-assess. To be aligned internationally. 
  • To understand and address different threats, vulnerabilities, risks, and risk tolerances. 
  • To meet a third party’s requirements. 
  • To strengthen the nation’s cybersecurity infrastructure.
  • Extent and process for using the Framework, including the role of champions and how the Framework was used (e.g., to start a risk management program, improve a program, assess the organization’s situation, meet leadership’s needs).
  • When use of the Framework began, how it was rolled out, what parts of the organization were involved (e.g., across multiple business units, piloted by one unit), training provided, use of contractors.
  • Which elements of the Framework were used and why: Core, Implementation Tiers, Profiles, and Informative References.
  • Role of contractors or partners in using the Framework.
Results and Impacts
  • Specific benefits of using the Framework (e.g., to identify gaps, to refocus or set priorities, to gain greater awareness and alignment across the organization internally and throughout the supply chain.)
  • Quantifiable (where possible) benefits and costs of using the Framework, including staff time, assistance from contractors.
Lessons Learned
  • Steps that contributed to – or would have improved – successful use of the Framework (e.g., how the initiative was launched and the importance of laying the groundwork/getting buy-in, questions from leadership that needed to be addressed).
  • Issues that arose during launch and use and how they were resolved.
  • Aspects of use that were unexpected (positive and negative).
  • How to improve cost-effectiveness and efficiency of using the Framework.
What’s Next
  • How the organization will continue to use the Framework, including modifications to prior style of use (e.g., expanded use of Tiers, to drive budget decisions, to inform senior leadership and/or auditors, to better measure benefits and costs of cybersecurity risk management efforts).

Second Page Left Sidebar:

  • Overview five bullets about Framework uses and Framework functions wheel graphic provided by NIST.

Second Page Bottom:

Contact Info/Resources, including: user organization’s contact, Cybersecurity Framework website URL, NIST contact (cyberframework [at] (subject: Success%20Stories) )

Additional Notes and Tips:

  • Avoid acronyms.
  • Use bullets liberally to enable scanning by reader.
  • Use appropriate graphics to complement the success story; may be photos, diagrams, or illustrations but should not promote a product or service.
  • Submit drafts in Word; final layout (including graphics) will be prepared by NIST and approved by the Cybersecurity Framework program manager at NIST and the user organization’s lead contact prior to public posting and distribution.
Created November 5, 2018, Updated April 5, 2019