Perspectives intended for general applications.
“We adopted the CSF as the foundation of our cybersecurity practice back in 2014 and so it drives all of our standards, all of our strategies, all of our architectures, and all of our communications.”
Michael Lewis, Chevron, NIST Profile on Responsible Use of PNT Services (@ 2:01:53), September 15, 2020
"Cybersecurity is just not a tech challenge, solved only in acquiring a technical solution. It is a business issue that must be addressed comprehensively through people, processes, and technology. The NIST CSF provides a comprehensive and programmatic approach to bridge the organization's businesses objectives with their security objectives, integrates with other industry security control standards, and is flexible so that any organization can adapt to best suit their needs."
Abby Daniel, Amazon Web Services (AWS) Public Sector Manager for Business Development
August 30, 2019
"The use of the Cybersecurity Framework in our industry primarily is to have a common approach, to have a common rational resource efficient approach to cybersecurity. It makes the entire ecosystem of financial services safer. It can be applied to international expectations around cyber as well as state and national...
….We found for our members, which include the largest global institutions as well as the smallest community banks that the use of the NIST Cybersecurity Framework was able to reduce their risk management burden about 43% for the largest banks to 73% for the smallest institutions."
Denyette DePiero, Vice President & Senior Counsel, Cybersecurity and Payments Policy, American Bankers Association
November 8, 2018 - NIST Cybersecurity Risk Management Conference
"This Cybersecurity Framework really provides an extension to the cybersecurity solutions that people already have in place. And what it really brings is a much higher level of transparency and trust to their customers, and stakeholders, and interested parties throughout the organization."
John DiMaria, Assurance Investigatory Fellow, Cloud Security Alliance
November 8, 2018 - NIST Cybersecurity Risk Management Conference
Interview Video Clip
"Since we've implemented the Framework, the biggest benefit has been I'm hearing more security talk from individuals. Previously, and in most organizations, there's usually a handful of people that talk security, maybe IT, maybe the chief security officer or a security analyst. And since implementing it, it started to affect every individual within the organization."
Koushik Subramanian, Digital Manufacturing and Design Innovation Institute at UI Labs
November 8, 2018 - NIST Cybersecurity Risk Management Conference
"For us, the NIST Framework provides an in-depth approach for addressing security. So at Siemens, we look at security holistically. We think about IT, operational technology, but also product security. And NIST and the NIST Framework, helps us cover all three aspects of our security program..."
Leo Simonovich, Vice President and Global Head, Industrial Cyber and Digital Security, Siemens
November 8, 2018 - NIST Cybersecurity Risk Management Conference
"So since implementing the NIST Cybersecurity Framework, I think the biggest benefit that we've seen to our organization is an increase in investment in cybersecurity. One, because people now understand exactly what we're trying to do, and what we're trying to accomplish with the cybersecurity program. And two, the members outside the cybersecurity team understand why we're doing certain things.
And so we're able to easily communicate and help them understand why we’re investing in these areas. "
Russell Schaefer, Senior Manager at BCG Platinion North America
November 8, 2018 - NIST Cybersecurity Risk Management Conference
Interview Video Clip
"What we love about the Cybersecurity Framework is it takes some very complex ideas and has a way that you can message very simplified outputs in order to communicate not only to internal stakeholders but also to external assessors, governance entities, as well as third parties that might be handling or managing some of the services on your behalf."
Troy Leach, Chief Technology Officer, PCI
November 8, 2018 - NIST Cybersecurity Risk Management Conference
"We believe that the Framework for Improving Critical Infrastructure Cybersecurity (the Framework) has been a remarkable success. It represents one of the best examples of public-private partnerships in action. NIST and multiple stakeholders pride themselves on the Framework’s development and promotion at home and overseas.”
Twenty-four Trade Associations, February 27, 2019
ACT | The App Association, Advanced Medical Technology Association (AdvaMed), Alliance of Automobile Manufacturers, American Fuel & Petrochemical Manufacturers (AFPM), American Trucking Associations (ATA), Association of Home Appliance Manufacturers (AHAM), BSA | The Software Alliance, Computer & Communications Industry Association (CCIA), Consumer Technology Association (CTA), CTIA, Edison Electric Institute (EEI), Information Technology Industry Council (ITI), International Society of Automation (ISA), National Association of Manufacturers (NAM), National Electrical Manufacturers Association (NEMA), National Restaurant Association, NCTA—The Internet & Television Association, NTCA—The Rural Broadband Association ,Retail Industry Leaders Association (RILA), Security Industry Association (SIA), Telecommunications Industry Association (TIA), U.S. Chamber of Commerce, USTelecom—The Broadband Association, Utilities Technology Council (UTC)
“The Cybersecurity Framework leverages public-private partnerships, is grounded in sound risk management principles, and fosters innovation due to its flexibility and basis in global standards…. ITI supports the Cybersecurity Framework’s approach of treating privacy and security in an integrated fashion, which mirrors the approach of those companies who integrate their security and privacy risk-management functions and practices.”
John Miller, Vice President, Policy and Law, The Information Technology Industry Council (ITI)
January 14, 2019 - Response to the Privacy Framework RFI
“The power of the CSF framework stems from the manner in which it provided organizations a consistent way to: identify risks requiring management; select controls available to manage the risks; and assess their maturity at managing risks against a target state.”
Eric Wenger, Director, Cybersecurity and Privacy Public Policy, Cisco
January 14, 2019 - Response to the Privacy Framework RFI
“Many directors are concerned about their effectiveness in overseeing cybersecurity. We believe the NIST Cybersecurity Framework (commonly called “CSF”)1 can be a particularly useful tool for boards. The CSF provides guidance on how directors can engage with company leadership around this critical issue. And, directors don’t need to read the CSF cover to cover. Instead, you can start with our primer.”
PricewaterhouseCoopers
February 2019 - A board’s guide to the NIST Cybersecurity Framework for better risk oversight
"This year’s report is based on data from a survey of 343 cybersecurity professionals and ISSA members. Eighty-five percent of survey respondents resided in North America, 7% came from Europe, 3% from Central/South America, 3% from Asia, and 1% from Africa."
Fig. 22: 52% of survey respondents have adopted some portion or all of the NIST cybersecurity framework
Table 2: The NIST cybersecurity framework became the #1 action reported in 2017, up from #4 in 2016
Jon Oltsik, ESG Senior Principal Analyst
November 2017 - ISSA Research Report
What was…so important and was a true innovation in the way that it [the Cybersecurity Framework]...created a situation where we, as Intel who’ve got vendors that we work with all over the world, we could do our own analysis under the Cybersecurity Framework to understand our risks, but we actually then took a step forward….driving it into our procurement guidelines…that required all of our vendors to look to it as a guide for them doing their own analysis….That was a global approach.”
David A. Hoffman
Director of Security Policy and Global Privacy Officer - Intel Corporation
September 24th, 2018, Brookings Institution, Center for Technology Innovation Forum on a Privacy Framework
"The Framework for Improving Critical Infrastructure Cybersecurity, developed by the United States National Institute of Standards and Technology (NIST), is an example of a security baseline that has proven to be effective and has therefore quickly gained broad adoption, also outside the United States. Its usefulness can, at least in part, be attributed to the nature of its development process. The Framework was developed in close collaboration with the industry – across different sectors and sizes – in an iterative, consultative process."
Microsoft's 'Cybersecurity Policy Framework' White paper (p.32)
"It's really Framework first. It's incredibly important today, in this dynamic threat environment, that organizations build an elastic cybersecurity strategy that can grow and expand continuously to mitigate that risk that they face and the framework does exactly that."
Ed Cabrera, Trend Micros's Chief Cybersecurity Officer
June 7, 2018 - NIST Framework as a Foundation
"...business leaders and policymakers view the Framework as a pillar for managing enterprise cyber risks and threats, including at home and increasingly abroad....The U.S. Chamber wants companies to invest heavily in sound cybersecurity practices, particularly having a plan and exercising it regularly. The Framework enables organizations—regardless of their size, risk profile, or cyber sophistication—to develop a plan from scratch or improve an existing one."
Matt Eggers, Vice President, Cybersecurity Policy, U.S. Chamber of Commerce
April 16, 2018 - One and Done? Not for NIST and the Cyber Framework
“On behalf of the nearly 200 members of Business Roundtable, an association comprised of chief executive officers of leading U.S. companies representing all sectors of the economy….We believe that NIST’s leadership in developing the voluntary and risk-based Framework has improved our nation’s cybersecurity posture. The Framework provides companies of all sizes with a flexible approach to evaluate their cybersecurity posture as threats and vulnerabilities evolve…. Business Roundtable promotes use of the Framework with our member companies and believes the Framework provides a solid baseline for cybersecurity risk management practices. Many of our member companies leverage the Framework in various ways.”
Julie Sweet, Chief Executive Officer - North America Accenture and Chair, Technology, Internet and Innovation Committee, Business Roundtable
January 19, 2018 – Business Roundtable RFC Response
“…there is broad consensus in industry that the Framework is a sound baseline for businesses’ cyber practices, including internationally. The Chamber…wants to sustain the view held by most businesses and policymakers that the Framework is a cornerstone for managing enterprise cybersecurity risks and threats globally.…”
Ann M. Beauchesne, Senior Vice President, and Matthew J. Eggers, Executive Director, Cybersecurity Policy, U.S. Chamber of Commerce
January 19, 2018 – US Chamber of Commerce RFC Response
“We believe the good principles outlined in the Framework have the potential to help countless organizations …in the development of robust cyber risk management that is more proactive than reactive. Since NIST issued the initial Framework in 2014, PwC has advised clients on the many potential benefits of adopting the Framework. The relevance of the Framework has continued to grow as organizations from a wide array of sectors put it into action. For example, in PwC’s 2018 Global State of Information Security® Survey (GSISS), respondents from healthcare payer and provider organizations, as well as oil and gas companies, say the NIST Cybersecurity Framework is the most commonly adopted set information security standards in their respective industries. Further, many financial institution clients embrace benchmarking of their cyber risk management programs against the NIST Cybersecurity Framework.”
Sean Joyce, PwC’s Cybersecurity and Privacy practice
January 19, 2018 – PwC RFC Response
“CA Technologies has been an active user of the Cybersecurity Framework for more than two years. The Framework helps provide a common lexicon to discuss cybersecurity risks and priorities throughout our enterprise, and with customers and suppliers. CA has adopted the Framework as the central, organizing foundation for our internal information security program, and it serves as the means through which we communicate CA’s cybersecurity posture to our Board of Directors. CA Technologies is utilizing the Framework to assess, prioritize, and improve our own cybersecurity program. Our use of the Framework reaffirmed and validated many of the controls and processes that we already had in place, and it also aligned with areas where we were investing to improve technology processes. We are using the Framework to continuously evaluate and measure our cybersecurity program and to prioritize the investments we are making to improve our overall posture in a constantly changing cyber threat landscape…. The Cybersecurity Framework is increasingly being adopted by a full range of critical infrastructure and other organizations, both in the US and internationally. The flexibility built into the Framework recognizes that different organizations have diverse business and cybersecurity priorities, and face a range of distinct threats.”
CA Technologies
January 19, 2018 – CA Technologies RFC Response
“…ICBA supports the efforts by NIST to continue to promote the Framework to all sectors beyond critical infrastructure, particularly those not supervised and examined on their cybersecurity risk policies and practices.”
Jeremy Dalpiaz, Assistant Vice President, Cyber Security and Data Security Policy, Independent Community Bankers of America (ICBA)
January 19, 2018 – ICBA RFC Response
“TIA has participated in NIST’s process since the Framework’s inception and is pleased to see the Framework continue to gain popularity as an invaluable resource for cybersecurity risk management across sectors and internationally. TIA and its members look forward to continued partnership on this initiative as we reaffirm commitment to a voluntary, consensus-based, industry-driven approach. In the few years since its publication, the tangible, voluntary nature and utility of the Framework has led to its use beyond the scope of the critical infrastructure organizations for which it was originally conceived. Such use is indicative of the success of the Framework as a burgeoning cybersecurity risk management tool.”
Savannah Schaefer, Policy Counsel, Government Affairs Telecommunications Industry Association (TIA)
January 19, 2018 – TIA RFC Response
“We want to reiterate our support for how the NIST CSF leverages some of the most widely reputed and accepted certifications, which allows adopting organizations and their reviewers (e.g. third party auditors, regulators, oversight entities, etc.) to streamline and re-use, instead of over-engineer and redo.”
Chris Gile, Senior Manager, Amazon Web Services (AWS)
April 7, 2017 – AWS RFC Response
“Access Now commends NIST for draft changes that will improve the Framework, in particular by expanding on coordinated vulnerability disclosure and authentication. Implementation of vulnerability disclosure programs and authentication tools will improve security of the organizations and better protect the privacy of stored user data.”
Drew Mitnick, Policy Counsel and Amie Stepanovich U.S. Policy Manager and Global Policy Counsel, Access Now
January 19, 2018 – Access Now RFC Response
“The communications industry has “enthusiastically embraced” the Framework. In November 2017, NIST pointed to the Communications, Security, Reliability, and Interoperability Council (CSRIC) work mapping the Framework to industry activities as a resource for best practices on cybersecurity risk management…. CTIA and its members support NIST’s hard work and collaborative spirit to develop the Framework Version 1.0 and update it.”
Thomas K. Sawanobori, Senior Vice President and Chief Technology Officer; John A. Marinho
Vice President, Technology and Cybersecurity; Melanie K. Tiano; Director, Cybersecurity and Privacy, CTIA
January 19, 2018 – CTIA RFC Response
“The National Credit Union Administration (NCUA) regularly examines credit unions to ensure compliance with these standards and has relied on NIST's guidance to develop its IT examination procedures. Many NAFCU members have benefited from NIST's promulgation of the Framework by using its concepts and terminology to approach data and cybersecurity problems through a common vernacular. In addition, NIST's Framework has aided in the development of the Federal Financial Institutions Examination Council's (FFIEC) Cybersecurity Assessment Tool (CAT), which has served as an informative benchmark for credit unions and other financial institutions. The NCUA indicated in its 2018 Supervisory Priorities that its future cybersecurity examination procedures will substantially mirror the CAT's structure, which is itself a reflection of the Framework”…. NAFCU recognizes that the Framework has proven influential in harmonizing government cybersecurity standards and encourages NIST to continue to update the Framework as necessary….”
Andrew Morris, Regulatory Affairs Counsel, NAFCU
January 19, 2018 – NAFCU RFC Response
“Cybernance employs the NIST CSF as the foundation of our automated SaaS cyber assessment and monitoring platform, which enables corporate directors and non-technical stakeholders to engage in cyber risk and resilience oversight.”
Joseph A. Pidala, Product Manager, Cybernance Corporation
January 18, 2018 – Cybernance RFC Response
“Symantec continues to incorporate the CSF into multiple aspects of our business, both internal and external. We remain strong advocates of the CSF and have dedicated resources to educate organizations and individuals across multiple industry verticals and promote the adoption of the Framework. We have conducted numerous Webinars across multiple industry verticals, including a seven-part series focused on the value of the CSF in Healthcare….”
Jeff Greene, Senior Director, Global Government Affairs & Cybersecurity Policy, Symantec Corporation
January 19, 2018 – Symantec RFC Response
“McAfee is committed to improving the global security ecosystem and has been demonstrating that support by our global outreach in support of the Framework….In our use of the Cybersecurity Framework, we treat it like the risk management framework that it is. As such, we believe tailoring the Framework to meet our business needs is a net positive….Over the last few years the Framework has successfully helped change the security landscape dialog from “compliance” to “risk management” within a large portion of U.S. organizations. This is an extremely positive trend. It is important the Framework continue to pursue this path.
The Framework commendably represents an effort to solve the complex problem of protecting yourselves from cybersecurity threats in a way that harnesses private sector innovation while addressing the cybersecurity needs of governments, businesses and citizens.”
Kent Landfield, McAfee LLC
January 19, 2018 – McAfee RFC Response
“When we asked about motivations for adopting CSF, the security framework driven by the US government, the leading reason for adoption was simply that it was a best practice (70%). This was the most common reason for adopting CSF, far ahead of any requirement by a business partner (29%), federal contract (28%), or other organization (20%).”
Dimensional Research, sponsored by Tenable Network Security
Trends in Security Framework Adoption: A Survey of IT and Security Professionals, March 2016
Tenable CSF Report
"Standard-setting is another path to ensure that companies are aware of best cybersecurity practices. The NIST Cybersecurity Framework, which recognizes five critical functions for managing cybersecurity risk: to identify, protect, detect, respond, and recover from cyber risks, creates a common lexicon for cybersecurity issues. It is an example of a standards tool that was originally targeted for critical infrastructure but then adopted by the broader government community (including other counties, such as Italy) and increasingly by the private sector (NIST 2017)."
The Council of Economic Advisors
February 2018 - The Cost of Malicious Cyber Activity to the U.S. Economy (p. 44)
"Directors should set the expectation that management has considered the NIST Cybersecurity Framework in developing the company’s cyber-risk defense and response plans."
National Association of Corporate Directors Cyber-Risk Oversight Handbook 2017 (p. 16)
"The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a proven collaborative effort by both the private sector and public sector. It can provide the public sector with a common language to address and manage cybersecurity risk in a cost-effective way, based on business needs, without placing additional regulatory requirements on organizations."
CISCO 2018 Annual Cybersecurity Report (p. 14)
“We’ve seen small businesses up to large multinationals [use the framework] because of its flexibility…. Back when the framework was being developed…our CTO took a look at the draft and decided to map our CS capabilities to the Framework, and she found that it was much easier to communicate to the BOD about our cybersecurity posture. I think that goes a long way to describe the utility of the framework. People that don’t have a deep background in cs can understand id, protect, detect, respond, recover. So it really helps to facilitate that conversation. Externally, we have taken all of our solutions and mapped them to the now a little bit over 100 subcategories of the Cybersecurity Framework.”
Ken Durbin, Sr. Strategist, Symantec
April 23, 2018 - Embracing the NIST Cybersecurity Framework
"Adopting the NIST Cybersecurity Framework is the most universal solution to demonstrate a commitment to good cybersecurity stewardship. Having a solid understanding of the terminology and the concepts will improve communication with donors, staff, volunteers, vendors, and other partner organizations when aligning with the NIST Cybersecurity Framework."
Threat Sketch's Nonprofit Executive’s Guide to Cyber Risk Management and the NIST Cybersecurity Framework
Resources related to this user group.