Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Approaches for Federal Agencies to Use the Cybersecurity Framework: NIST Publishes NISTIR 8170

NISTIR 8170, "Approaches for Federal Agencies to Use the Cybersecurity Framework," provides guidance on how to use the NIST Cybersecurity Framework in federal agencies, in conjunction with the current and planned suite of NIST security and privacy risk m

Today, NIST has published NISTIR 8170, Approaches for Federal Agencies to Use the Cybersecurity Framework. It provides guidance on how the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) can be used in the U.S. Federal Government in conjunction with the current and planned suite of NIST security and privacy risk management publications. This specific guidance was derived from current Cybersecurity Framework use and implementer feedback. It provides eight example approaches to assist federal agencies as they develop, implement, and continuously improve their cybersecurity risk management programs.

The examples are consistent with OMB Circular A-130, Managing Information as a Strategic Resource, which provides guidance regarding the heavily used NIST Risk Management Framework, associated documents, and the Cybersecurity Framework. The examples also support OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control; use of the Cybersecurity Framework helps to identify, manage, report, and monitor the internal controls needed to properly manage potential information and technology risks to an agency.  Draft NISTIR 8286Integrating Cybersecurity and Enterprise Risk Management (ERM)—also released today—decomposes and advances concepts discussed in A-130, A-123, NISTIR 8170, and the Risk Management Framework (RMF).

Released March 19, 2020