Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Approaches for Federal Agencies to Use the Cybersecurity Framework



Jeffrey Marron, Victoria Yan Pillitteri, Jon M. Boyens, Stephen Quinn, Gregory Witte


The document highlights examples for implementing the Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework) in a manner that complements the use of other NIST security and privacy risk management standards, guidelines, and practices. These examples include support for an Enterprise Risk Management (ERM) approach in alignment with OMB and FISMA requirements that agency heads "manage risk commensurate with the magnitude of harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of a federal information system or federal information." The use of the Cybersecurity Framework's components enable discussion about the various types of risk that might occur within federal organizations and promote conversations about how to determine the likelihood and potential consequences of risk events. These activities can then be combined with those described in NIST Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations; SP 800-39, Managing Information Security Risk; and other guidelines to form a comprehensive risk-based approach for security and privacy. This risk-based approach will assist agencies in determining the risks that are relevant to its mission throughout the operational lifecycle and apply an appropriate type and degree of resources to treat those risks to an acceptable level. Examples in this publication will demonstrate the use of the Cybersecurity Framework, the NIST Risk Management Framework (RMF), and other models to evaluate and report agency goals and progress and to inform tailoring activities for managing cybersecurity risk appropriately. Use of a comprehensive cybersecurity risk-based approach, as demonstrated through these examples, supports agencies' activities to meet their concurrent obligations to comply with the requirements of FISMA and Executive Order (EO) 13800.
NIST Interagency/Internal Report (NISTIR) - 8170
Report Number


Cybersecurity Framework, Enterprise Risk Management, Federal Information Security Management Act (FISMA), Risk Management Framework (RMF), security and privacy controls


Marron, J. , Pillitteri, V. , Boyens, J. , Quinn, S. and Witte, G. (2021), Approaches for Federal Agencies to Use the Cybersecurity Framework, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online],, (Accessed April 12, 2024)
Created August 17, 2021, Updated November 29, 2022