Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Approaches for Federal Agencies to Use the Cybersecurity Framework: NIST Publishes NISTIR 8170

NISTIR 8170, "Approaches for Federal Agencies to Use the Cybersecurity Framework," provides guidance on how to use the NIST Cybersecurity Framework in federal agencies, in conjunction with the current and planned suite of NIST security and privacy risk m

Today, NIST has published NISTIR 8170, Approaches for Federal Agencies to Use the Cybersecurity Framework. It provides guidance on how the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) can be used in the U.S. Federal Government in conjunction with the current and planned suite of NIST security and privacy risk management publications. This specific guidance was derived from current Cybersecurity Framework use and implementer feedback. It provides eight example approaches to assist federal agencies as they develop, implement, and continuously improve their cybersecurity risk management programs.

The examples are consistent with OMB Circular A-130, Managing Information as a Strategic Resource, which provides guidance regarding the heavily used NIST Risk Management Framework, associated documents, and the Cybersecurity Framework. The examples also support OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control; use of the Cybersecurity Framework helps to identify, manage, report, and monitor the internal controls needed to properly manage potential information and technology risks to an agency.  Draft NISTIR 8286Integrating Cybersecurity and Enterprise Risk Management (ERM)—also released today—decomposes and advances concepts discussed in A-130, A-123, NISTIR 8170, and the Risk Management Framework (RMF).

Released March 19, 2020